VPN LAN access issues


(alex) #1

I have configured Nethserver to use road warrior and can successfully connect using openvpn. The problem i have is that i cannot see anything on the LAN behind Nethserver (green nw). Any advice on troubleshooting or assistance appreciated (i believe i have read the FAQ and NS documentation relating to VPN btw!)

(Filippo Carletti) #2

In routed mode, lan machines must have nethserver as their default gateway.
Otherwise, use bridged mode.

(alex) #3

thanks filippo - its set to routed mode and gateway settings are already in place im afraid!

(Filippo Carletti) #4

You could use tcpdump while pinging to see where packets are going.

(alex) #5

stupid question but what am i going to ping - the LAN network (Nethserver green) is X.Y.10.0 and the “VPN” network is X.Y.110.0 (so as to avoid any common range)… The VPN is established on the 110 network - im expecting to see the servers on the remote LAN allocated 110 addresses (which doesnt happen)… on that basis im not sure what to ping but i may be misunderstanding VPNs so apologies in advance!

(Emiliano Vavassori) #6

Not really. If you are in routed mode, you will see in your roadwarrior the routes for the X.Y.10.0 network via the tunX interface.

If you cannot find the correct routes to the LAN, then you may have problems with the client. I know for sure, for example, that Ubuntu (but maybe in general NetworkManager) has a function to remove additional routes pushed by OpenVPN server; check to see if you didn’t flag that by mistake.


(alex) #7

ah ok thank you - im slowly starting to get my head around what a VPN does - so i think im right in saying that the VPN network (in my case X.Y.110.0) is used to allow traffic to route between my local and remote LAN… with that in mind if the routing is correct i should expect to be able to ping an address (and ideally log on to it) on the remote LAN from my local LAN

my local PC is just a windows machine (running openvpn client) - when i check the routing table on this machine i dont see any route entry allowing access to the remote X.Y.10.0 network via the X.Y.110.0 “VPN” network… incidentally i had previously added such a route and it didnt do the trick!

(Emiliano Vavassori) #8

[quote=“alpreseidente, post:7, topic:7532”]
when i check the routing table on this machine i dont see any route entry allowing access to the remote X.Y.10.0 network via the X.Y.110.0 “VPN” network
[/quote]And this is really the problem. The strange thing is that if you configure an OpenVPN server on NS and you have a green interface (which you do), the network associated to the interface is going to be added as a route for each client.

Just try to destroy and recreate the configuration for the roadwarrior server; then if it doesn’t work again, please post your /etc/openvpn/host-to-net.conf file. You may also check the log file on NS (and the Windows client) for errors.

(Saito Benkei) #9

If your Nethserver isn’t the gateway of your lan, put a route on your gateway (router or firewall) that redirect all packets for X.Y.110.0 to the IP of green network of the Nethserver.

(alex) #10

Hi Saito - my Nethserver is the gateway between internet (red) and LAN (green). Im trying to keep things simple at this point!

(alex) #11
# ================= DO NOT MODIFY THIS FILE =================
# Manual changes will be lost when this file is regenerated.
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
dev tunrw
ifconfig-pool-persist host-to-net.pool 0

port 1194
script-security 3
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
push "dhcp-option DOMAIN myDOMAIN.co.uk"
push "dhcp-option DNS"
push "dhcp-option WINS"
push "dhcp-option NBDD"
push "dhcp-option NBT 2"
push "route"


# Authentication: certificate

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log
keepalive 20 120
client-config-dir ccd
management /var/spool/openvpn/host-to-net unix
verb 3

(alex) #12

thanks folks i got it working - it was a dns issue - having added the hostname to the internet dns config all now works… because this is my mail server i had assumed that mail.domain (already configured in dns) would work… im reminded once again that taking shortcuts with dns can have unpleasent consequences!