Can't connect to LAN behind another GW

NethServer Version: 7
Module: openvpn Roadwarior
Hello!
I have the problem, and I did not find a similar situation, so I raised the topic.
There is a gateway not NethServer, behind it the VPN server on NS7 is lifted. Created a user with a password and certificate for Roadwarrior vpn in Routed mode. I can connect from the outside, but I can’t get access to any resource inside the local LAN. I registered a static route on the gateway but this did not solve the problem. The VPN subnet is trusted, the client receives IP from VPN server, but no access. What could be the problem?

Normal behavior when creating a VPN there is a 2nd local subnet created. The VPN clienbt gets an IP address in this 2nd local subnet. Also a static route between the VPN subnet and the LAN subnet is created. Can you check if that static route between the 2 local subnets exists?

  • 10.172.90.0/24 via 10.10.10.6, eth1 This is a screenshot
    ip range.
  Ping from client coming  to 10.172.90.1 it's ip from VPN subnet,

but ping from client don’t coming to local LAN, also ping coming
from client to VPN server (10.10.10.6). Also ping don’t coming
from GW to VPN subnet and client ip. I tried adding static route
to NS VPN, but that did not help.

PING 10.172.90.1 (10.172.90.1) from 10.10.10.250 eth1: 56(84) bytes of data.
64 bytes from 10.172.90.1: icmp_seq=1 ttl=64 time=0.431 ms
64 bytes from 10.172.90.1: icmp_seq=2 ttl=64 time=0.342 ms
64 bytes from 10.172.90.1: icmp_seq=3 ttl=64 time=0.378 ms

10.10.10.250 it’s local GW ip,

PING 10.172.90.6 (10.172.90.6) from 10.10.10.250 : 56(84) bytes of data.
64 bytes from 10.172.90.6: icmp_seq=1 ttl=63 time=282 ms
64 bytes from 10.172.90.6: icmp_seq=2 ttl=63 time=100 ms
64 bytes from 10.172.90.6: icmp_seq=3 ttl=63 time=129 ms

10.170.90.6 it’s remote client ip.

But besides NS VPN and local GW client nothing pinging.


default via 10.10.10.250 dev ens32 10.10.10.0/24 dev ens32 proto kernel scope link src 10.10.10.6 10.172.90.0/24 via 10.172.90.2 dev tunrw 10.172.90.2 dev tunrw proto kernel scope link src 10.172.90.1 It is route table from diagnostic pane from NS VPN server/

22.02.2020 13:48, Rob Bosch via NethServer Community пишет:

Did you add a static route for your VPN network on your gateway pointing to the Nethserver?

Thank you @mrmarkuz - your post back then helped me understand this when I first started using Neth as my primary VPN setup.

I’ve been reading up on this from personal use cases and from a couple of posts I’ve seen pop up. For those who use Nethserver as an appliance/1 nic and not a gateway run into some common issues. The Roadwarrior comes in either Bridged or Routed mode, and intern with tap vs tun virtual adapters used respectively. If the Roadwarrior OpenVPN server was configured to be in Routed Mode while using a tap virtual adapter I think the above use case would have already been resolved. I have similar experience using Zentyal as an OpenVPN server/single nic appliance that allowed for tap interfaces to be specified while also segmenting off the VPN service to it’s own IP subnet. As is if you want to use Nethserver Roadwarrior mode without it being the primary gateway device static routes must be defined in order for the networking to function properly because the tun adapter works at layer 3.

Maybe this belongs in another post but maybe we could brainstorm ideas to better document this up front or explore other avenues. My initial thought was to create a custom OpenVPN Roadwarrior template and see if I could get the service to run with a tap interface but I went to bed last night before I had time to find out.

2 Likes

Good idea.

I like this one but would add a hint where and how the static route should be configured and I’d put it to Roadwarrior section

“If you want to use routed mode and Nethserver is not your gateway, a static route for the VPN on your gateway pointing to the Nethserver is needed.”

Yes I added static route on GW

this entry from my main gateway, where 10.10.10.6 is a NS VPN and 10.172.90.0/24 is a VPN subnet.
But, the VPN client does not gain access to resources in local LAN

VPN client pinging only GW and VPN server

Is eth1 the correct interface on your gateway?

it’s fisical interface on my GW looking in to local LAN (green) 10.10.10.0/24, where connect NS VPN 10.10.10.6.

If I’ve diable static route on GW, ping GW and NS VPN on client side is DOWN. If static route enabled, ping GW and NS VPN on client side is UP, but no one resource is unnable to connect,

Did you check your router/firewall gateway logs to see if it was dropping traffic?

I will try to connect my NS VPN by nother scheme. When complete
and test it I’l write about results. Thank’s to wathing me.