Hi all, i’ve seen this topic pass by a couple of times, and tried to use the solutions that are given, but with no luck.
My setup is: Internet > router(192.168.80.0/24) > Nethserver (192.168.80.18 - green interface, no bridging or bonding) > roadwarrior vpn (192.168.85.0/24)
port forwarding from router to Nethserver (1194)
roadwarrior and firewall applications installed.
Runs on vmware Esxi, with a snapshot taken to revert to a basic install so i can experiment from scratch.
I tried several scenarios, also followed the advice found on this forum to add a static route in my router from 192.168.85.0/24 to 192.168.80.18(Nethserver) but that didn’t solve my issue.
When i tried a bridged vpn setup, i do have access to my lan, but that uses a tap interface which is not compatible with the Android client, and i really need that.
this is my routing table in Nethserver:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.1 0.0.0.0 UG 0 0 0 ens33
192.168.80.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33
192.168.85.0 192.168.85.2 255.255.255.0 UG 0 0 0 tunrw
192.168.85.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunrw
The client connects and i can access the webinterface, but nothing outside the Nethserver.
I also tried Zentyal server (because i am more familiar with that) but i like the implementation on Nethserver better (cert+username possibility)
any ideas would be greatly appreciated.
Thanks,
Stef
Hi Markus,
Thanks for the reply, my router is a TP-link Archer C7, with firmware 3.15.3 Build 150511 - the latest build according to their website. There is no mentioning of any bug concerning static routing.
Correct me if i’m wrong, but isn’t the routing between the subnets done in Nethserver? shouldn’t there be some form of NAT connecting both subnets?
That was at least the approach on Zentyal, and it didn’t need to have static routing on my gateway. Or am I really missing out on something here?
Hmmm, that’s the exact point i don’t get. I have set Roadwarrior in routed mode. Am i wrong to think that traffic goes vpn-tunnel > Nethserver > LAN? If this is the case, Nethserver would handle the routing between VPN and lan? Or is the vpn subnet ‘mapped’ on the same lan interface?
I have only one network interface set in in Nethserver, so there is no wan interface.
If there’s no static route the router drops packets to/from VPN.
If the Nethserver would be gateway then you don’t need the static route as Nethserver does the routing.
On the other hand, if the main office OpenVPN server is NOT also the gateway, then whatever machine or router which IS the gateway must know to route 10.3.0.0 subnet 255.255.255.0 to the machine which is running OpenVPN.
You were right from the start - it’s most probably a bug in my router. Today i have set up the exact same situation @ work, and on a Vasco AXSguard, i’ve setup static routing in the exact same way.
It worked immediately.
I’m going to insert a second NIC in my Esxi server and go with Neth all the way so might be needing more help soon
I thought about that earlier, to upgrade to dd-wrt, but it only works on hardware version 2 and higher, i have hardware version 1 - so it’s a no go.
For my home it’s quite allright, but sometimes i try to build POC situations at home, and in this specific case that didn’t work out well on this router.
At work it’s already implemented - it was a nescessity since our country goes in lockdown due to the coronavirus and quite a lot of colleages are working from home now.