Join Log in
Score:0
Arseni Kalbin avatar Server

OpenVPN: Can see devices, connected to my local network

kn flag
Arseni Kalbin

I have OpenVPN server installed on debian (public ip 90.191.183.193). I run OpenVPN client on Windows 10, put generated .ovpn file and connect. I can see devices connected to the network the server is running on, however, I can also see devices, connected to my local network, which I don't like. Here are some files:

openvpn.conf

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/90.191.183.193.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/90.191.183.193.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto tcp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
push "redirect-gateway def1"

ovpn_env.sh

declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=
declare -x OVPN_CN=90.191.183.193
declare -x OVPN_COMP_LZO=0
declare -x OVPN_DEFROUTE=1
declare -x OVPN_DEVICE=tun
declare -x OVPN_DEVICEN=0
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=1
declare -x OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 60'
declare -x OVPN_MTU=
declare -x OVPN_NAT=0
declare -x OVPN_PORT=1194
declare -x OVPN_PROTO=tcp
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="192.168.254.0/24")
declare -x OVPN_SERVER=192.168.255.0/24
declare -x OVPN_SERVER_URL=tcp://90.191.183.193
declare -x OVPN_TLS_CIPHER=

At the end of user.ovpn file is redirect-gateway def1

I use docker-compose.yml

version: "3"
services:
  ovpn:
    image: kylemanna/openvpn:latest
    restart: always
    volumes:
      - ./ovpn-data:/etc/openvpn:rw
    ports:
      - 1194:1194/tcp
    cap_add:
      - NET_ADMIN

And two bash scripts to initialize and create clients:

init.sh

#!/bin/bash -x
docker compose run --rm ovpn ovpn_genconfig -u tcp://90.191.183.193
docker compose run --rm ovpn ovpn_initpki

create_client.sh

#!/bin/bash -ex
docker compose run --rm ovpn easyrsa build-client-full $1 nopass
docker compose run --rm ovpn ovpn_getclient $1 > $1.ovpn

Thanks in advance!

79
0 + 8
vpn
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Connecting to the VPN doesn't disconnect you from your local network. This is expected. This is like you put additional network card into your computer. Generally I don't see a point why disabling an access to the LAN is useful.
0
Reply
Arseni Kalbin avatar
kn flag
Arseni Kalbin
I have devices with repeating ip addresses, which create conflicts.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Do you have the same network block here and there? Then you have to renumber one of them. And this is the lesson: never use "default" neworks like 192.168.0.0 or 192.168.1.0 or 192.168.88.0 in the office, spend 30 minutes or so on network planning.
2
Reply
Arseni Kalbin avatar
kn flag
Arseni Kalbin
What do you mean "network planning"? I have to connect to my vpn server from ANY network. And if the network I am connecting from has same ip addresses, I want to fully connect to vpn, not seeing devices from the network I am connecting from. That's why I'm asking.
0
Reply
Arseni Kalbin avatar
kn flag
Arseni Kalbin
I've just seen "block-local" flag. Where do I need to put it and how to use it?
0
Reply
Arseni Kalbin avatar
kn flag
Arseni Kalbin
So is it possible to block local network access? Like to "remove another network card" and how?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
No, it's not possible. It is "second card", yet it's virtual. The physical connection is *required*. // Yes, you can connect to any network, but if network blocks overlap, you'll get problems. Usually just something will not be accessible, but in extreme cases there can be bigger problems (no network access while you are attempting to be in the VPN). Renumbering (changing network block on one side) is the *only* solution to these. // I don't know which flag you're talking about; there is `man openvpn` installed with openvpn package, which is the definitive documentation for the software.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Also, I see absolutely no point in running OpenVPN inside Docker. Docker alone has quite complicated networking, and VPN is not an easy networking subject, it must be a nightmare to grasp them together.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.