Open VPN Routed mode, can’t connect to Lan

Matthew99 (Matthew) 2018-04-12 16:59:40 UTC #1

Hi
I’ve been struggling this for a while now and hoping someone can help me get this sorted.
I have been using Roadwarrior Bridged Tap mode for a while now but wanted to set up a new server to test Tun Routed mode but am unable to get it routing to internal LAN

Network 192.168.30.x /23
Sub 255…255.254
Gateway 192.168.30.1
Netserver 7.4 – 192.168.30.19- VPN server and sat behind a Sonicwall TZ300

Steps taken so far:

Hardware – Dell Laptop for now with 1 nic (Green interface)
Fresh install of Nethserver 7.4
Set Network static address on (Green)

Set routed mode

Create the Roadwarrior user accounts
Download the config file place in config location.
Config portforwarding on router to internal vpn server address 192.168.30.19
I connect in with Open VPN client all connects fine I get ip of 192.168.100.6
I can access internet
I can ping VPN server 192.168.30.19 with reply
But I can’t connect or ping anything else on the Lan?
And this is where I’m stumped.
I’m guessing the issue is with routing from external 192.168.100.x to internal 192.168.30.x
iptable is as follows:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.30.1 0.0.0.0 UG 0 0 0 enp0s29u1u4
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 enp0s29u1u4
192.168.30.0 0.0.0.0 255.255.254.0 U 0 0 0 enp0s29u1u4
192.168.100.0 192.168.100.2 255.255.254.0 UG 0 0 0 tunrw
192.168.100.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunrw

Firewall Log
Apr 12 13:26:17 TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8679 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=146
Apr 12 13:26:22 TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8680 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=147

Open vpn log shows the following error
TestVPN kernel: Shorewall:sfilter:DROP:IN=tunrw OUT=tunrw MAC= SRC=192.168.100.6 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=5508 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11

@mrMarkus was kindly offering his input and has also replicated the issue.
Anyone else running a similar setup that can solve my headache?

mrmarkuz (Markus Neuberger) 2018-04-13 11:06:47 UTC #2

A static route on the gateway should solve the issue.

saitobenkei (Saito Benkei) 2018-04-13 12:54:55 UTC #3

As @mrmarkuz suggests, in your router/gateway put a static route that redirects all calls to 192.168.100.0/23 range to your VPN server (I suppose it’s 192.168.30.19)

A question, Why 255.255.254.0 as netmask of your OpenVPN range?

Matthew99 (Matthew) 2018-04-13 15:43:49 UTC #4

thank you just got to work out how to add a Route in Sonicwall

@saitobenkei VPN routed ip range is on 255.255.255.0 main lan is on 255.255.254.0

why on a /23 for lan you ask i haven’t got my head around vlan setup yet

mrmarkuz (Markus Neuberger) 2018-04-13 15:56:34 UTC #5

Found a thread:

https://www.sonicwall.com/en-us/support/knowledge-base/170505813100854

saitobenkei (Saito Benkei) 2018-04-13 16:05:20 UTC #6

If your VPN Range is 255.255.255.0 so put /24 in your static route, not /23 I have wrongly written in my previous post

Matthew99 (Matthew) 2018-04-13 16:58:47 UTC #7

Cheers. Will carry out some weekend testing and keep you posted.

Matthew99 (Matthew) 2018-04-16 11:27:36 UTC #8

Progress…

i added the route as per the documentation.

using the following config:

and…success i can now access internet ping laptop on network.

one slight hitch i have nas drive on this network to test and i can’t connect to it anyone see a reason for this its on 192.168.30.11

Matthew99 (Matthew) 2018-04-16 11:31:03 UTC #9

ok just tried to ping my device 192.168.100.6 from inside the lan and no reply

Matthew99 (Matthew) 2018-04-16 17:25:18 UTC #10

Update turns out the Nas just needed a 're boot awesome work @mrmarkuz and @saitobenkei thanks for sticking with me I can now access all internal devices and web interfaces. This will allow some of our remote IOS users access too now which will be a big help. Great work team!