Allow Access to Server LAN

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • shinji14
    Junior Member
    • Dec 2024
    • 2
    #1

    Allow Access to Server LAN

    How to allow the client to access the server lan side?,
    I was able to do this when I had openvpn server running on windows by enabling Internet Connection Sharing.
    I tried configuring the /etc/config/firewall to masquerade the vpn, but it has no effect.
    So far this is what I tried:
    • The OpenVpnClient can connect to the openvpnserver.
    • Client and server can ping each other.
    • Client can't ping LanDevice 192.168.29.50.
    • Wireshark on 192.168.29.50 shows packets from 10.8.0.2.
    • Response from 192.168.29.50 is not showing at 10.8.0.2

    /etc/config/firewall
    Code:
    config zone 'vpn'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'vpn'

config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'
    Code:
    OpenVpnClient 10.8.0.2
 
MainRouter 192.168.29.1
  Openwrt 192.168.29.158 with OpenVpnServer 10.8.0.1
  LanDevice 192.168.29.50
    Server:
    Code:
    port 443
proto tcp4
dev tun
tcp-queue-limit 256

ca "/ca.crt"
cert "/server.crt"
key "/server.key"
dh "/dh1024.pem"

topology subnet
server 10.8.0.0 255.255.255.0

push "route 192.168.29.0 255.255.255.0"
push "route 8.8.8.8 255.255.255.255"

client-to-client
keepalive 10 120
mode server
tls-server
cipher AES-128-CBC
data-ciphers AES-128-CBC
auth SHA256
persist-key
persist-tun
status "/tmp/openvpn-status.log"
log "/tmp/openvpn.log"
log-append "/tmp/openvpn.log"
verb 3
    Client:
    Code:
    client
dev tun
proto tcp
remote server.com 666
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
tls-client
verb 3
<ca>
....
    Tags: None
    • RemoteOne
      Junior Member
      • Dec 2024
      • 6
      #2
      So, Wireshark is confirming to you that the device receives the packets from your clients. Your problem is you have not told either the device itself, or your default router, where to send the return packets for those clients.

      On your main router (or the device itself) you need to add a default static route to send all traffic for 10.8.0.0/32 via 192.168.29.158/32. Once it gets back to the OpenVPN server it will handle routing it back the the appropriate client.

        Comment

        • shinji14
          Junior Member
          • Dec 2024
          • 2
          #3
          Thank you for the reply.
          Adding static routes in "MainRouter 192.168.29.1" needs to be avoided because it can be replaced and connectivity will be lost.

          If the static route is added to "Openwrt 192.168.29.158", will it work?
          It seems 192.168.29.0/24 devices will not be aware the route to 10.8.0.2 its on 192.168.29.158.

            Comment

            Previous template Next
            Working...
            😀
            😂
            🥰
            😘
            🤢
            😎
            😞
            😡
            👍
            👎