Open VPN Routed mode, can’t connect to Lan

Matthew99 · April 12, 2018, 4:59pm

Hi
I’ve been struggling this for a while now and hoping someone can help me get this sorted.
I have been using Roadwarrior Bridged Tap mode for a while now but wanted to set up a new server to test Tun Routed mode but am unable to get it routing to internal LAN

Network 192.168.30.x /23
Sub 255…255.254
Gateway 192.168.30.1
Netserver 7.4 – 192.168.30.19- VPN server and sat behind a Sonicwall TZ300

Steps taken so far:

Hardware – Dell Laptop for now with 1 nic (Green interface)
Fresh install of Nethserver 7.4
Set Network static address on (Green)

Set routed mode

Create the Roadwarrior user accounts
Download the config file place in config location.
Config portforwarding on router to internal vpn server address 192.168.30.19
I connect in with Open VPN client all connects fine I get ip of 192.168.100.6
I can access internet
I can ping VPN server 192.168.30.19 with reply
But I can’t connect or ping anything else on the Lan?
And this is where I’m stumped.
I’m guessing the issue is with routing from external 192.168.100.x to internal 192.168.30.x
iptable is as follows:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.30.1 0.0.0.0 UG 0 0 0 enp0s29u1u4
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 enp0s29u1u4
192.168.30.0 0.0.0.0 255.255.254.0 U 0 0 0 enp0s29u1u4
192.168.100.0 192.168.100.2 255.255.254.0 UG 0 0 0 tunrw
192.168.100.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunrw

Firewall Log
Apr 12 13:26:17 TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8679 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=146
Apr 12 13:26:22 TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8680 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=147

Open vpn log shows the following error
TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5508 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11

@mrMarkus was kindly offering his input and has also replicated the issue.
Anyone else running a similar setup that can solve my headache?

mrmarkuz · April 13, 2018, 11:06am

A static route on the gateway should solve the issue.

saitobenkei · April 13, 2018, 12:54pm

As @mrmarkuz suggests, in your router/gateway put a static route that redirects all calls to 192.168.100.0/23 range to your VPN server (I suppose it’s 192.168.30.19)

A question, Why 255.255.254.0 as netmask of your OpenVPN range?

Matthew99 · April 13, 2018, 3:43pm

thank you just got to work out how to add a Route in Sonicwall

@saitobenkei VPN routed ip range is on 255.255.255.0 main lan is on 255.255.254.0

why on a /23 for lan you ask i haven’t got my head around vlan setup yet

mrmarkuz · April 13, 2018, 3:56pm

Found a thread:

https://www.sonicwall.com/en-us/support/knowledge-base/170505813100854

saitobenkei · April 13, 2018, 4:05pm

If your VPN Range is 255.255.255.0 so put /24 in your static route, not /23 I have wrongly written in my previous post

Matthew99 · April 13, 2018, 4:58pm

Cheers. Will carry out some weekend testing and keep you posted.

Matthew99 · April 16, 2018, 11:27am

Progress…

i added the route as per the documentation.

using the following config:

and…success i can now access internet ping laptop on network.

one slight hitch i have nas drive on this network to test and i can’t connect to it anyone see a reason for this its on 192.168.30.11

Matthew99 · April 16, 2018, 11:31am

ok just tried to ping my device 192.168.100.6 from inside the lan and no reply

Matthew99 · April 16, 2018, 5:25pm

Update turns out the Nas just needed a 're boot awesome work @mrmarkuz and @saitobenkei thanks for sticking with me I can now access all internal devices and web interfaces. This will allow some of our remote IOS users access too now which will be a big help. Great work team!

Maicol_Munoz · May 17, 2019, 7:04am

Hello @Matthew99 could you share the solution to your problem because I currently have the same problem with my vpn that was working perfectly but a week ago I presented the same error.

I can connect to my vpn but I can only access the Nethserver server but not any LAN resources.

I hope you can help me.

Matthew99 · May 17, 2019, 8:38am

hi @Maicol_Munoz

if i remember correctly i had to create a static route as suggested by @MrMuecke and screenshots above.

you need to create an object for the subnet you have as your routed mode address and then add a static route to that destination.