VPN Routing network no connection to server-side LAN

Hi nethserver community,

After “disaster recovery”, we are currently struggling to once again set up our VPN in our network. We already reset both the router and nethserver(NS) but we still can’t figure out what we do actually wrong.

So let me start with explaining our set up:

So the problem is actually that with PC3 (vpn client) we cannot access anything in our server-side local network (10.23.0.0).

overview, ifconfig , route, OpenVPN Roadwarrior Config, Firewall rules, Open VPN settings
can be seen in the figure above

Additionally we used tcpdump to see the routing on the server when we tried to ping from PC3(10.8.0.x ) to PC1(10.23.0.x).

12:22:33.897954 IP 10.8.0.10.55214 > 17.248.146.111.443: Flags [S], seq 2673219908, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036993970 ecr 0,sackOK,eol], length 0
12:22:34.045574 IP 10.8.0.10.55215 > 172.217.23.138.443: Flags [S], seq 783895879, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036994117 ecr 0,sackOK,eol], length 0
12:22:34.060602 IP 10.8.0.10.55216 > 205.233.73.116.443: Flags [S], seq 595964165, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036994132 ecr 0,sackOK,eol], length 0
12:22:34.141162 IP 10.8.0.10.55211 > 17.248.146.73.443: Flags [S], seq 1364290408, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036994212 ecr 0,sackOK,eol], length 0
12:22:34.147962 IP 10.8.0.10.55217 > 17.248.146.78.443: Flags [S], seq 2106829015, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036994219 ecr 0,sackOK,eol], length 0
12:22:34.396837 IP 10.8.0.10.55212 > 17.248.146.205.443: Flags [S], seq 161307845, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS val 1036994467 ecr 0,sackOK,eol], length 0
12:22:34.405221 IP 10.8.0.10.55218 > 17.248.146.143.443: Flags [S], seq 1193448510, win 65535, options [mss 1358,nop,wscale 6,nop,nop,TS va

Our Host-to-net.conf

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
dev tunrw
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist host-to-net.pool 0

port 1194
script-security 3
float
multihome
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
push "dhcp-option DOMAIN ourDomain"
push "dhcp-option DNS 10.23.0.3"
push "dhcp-option WINS 10.8.0.1"
push "dhcp-option NBDD 10.8.0.1"
push "dhcp-option NBT 2"
push "route 10.23.0.0 255.255.255.0"


# Authentication: password
auth-user-pass-verify /usr/libexec/nethserver/openvpn-pam-auth via-env
verify-client-cert none
username-as-common-name

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log

keepalive 20 120
client-config-dir ccd
persist-key
persist-tun
management /var/spool/openvpn/host-to-net unix
verb 3

We tried to resolve our problem by following this post and this post. We have seen @filippo_carletti solve some similar issues and we are very grateful for any support!
Do you see any obvious mistakes we made or have any suggestions how we could continue to solve this issue?

Thanks!

You won’t need a custom firewall rule for openvpn, it should be setup automatically.

Did you setup the static route on the router to destination network 10.8.0.0/255.255.255.0 via gateway 10.23.0.3 ?

https://kb.netgear.com/24226/What-are-static-routes-and-how-do-they-work-with-my-NETGEAR-router

Which vpn client do you use on which OS?

Thanks for your suggestion!


It works now! From VPN I can access all the devices in the local network (10.23.0.x).
(Clients: Tunnelblick/MAC, Windows/OpenVPN).

Only a minor detail doesn’t work. When I am connected to the VPN trying to ping google.com it does not work. It is not a real problem since I set up my client to only use VPN if necessary, but I am still wondering why the ping does not reach google.com.

Thanks again for your help!

It should work. You may test with nslookup and traceroute/tracert. Maybe a firewall issue on the router?

Found an old thread:

As far as I understood *** just means that the server the request is going through does not support ICMP and therefore does not support the protocol for traceroute. But usually, it’s nothing to worry about.

In my case, it seems like the request gets lost somewhere in a loop when I am connected to the VPN:

up: traceroute to google in local network without VPN
down: traceroute to google in VPN network

For me, it’s hard to tell if its a security problem. The router receives the request and sends it to a server that does not support ICMP.

So…
NethServer (10.23.0.3) is a Green only installation, who acts as DHCP and DNS Server. DHCP lease the NightHawk (10.23.0.1) as gateway and itself as DNS server.
NightHawk forward only the OpenVPN port.
OpenVPN uses 10.8.0.x as network space.

IMVHO DHCP should push route to 10.8.0.x to GREEN, because the default gateway is the NightHawk, who does not understand how to route 10.8.0.x
All subnets are /24?

My bad, route was already setup on NightHawk.

Okay, I’ve been trying to get OpenVPN Server running for the better part of 3 days. I was finally at my wit’s end and was going to post this huge dissertation describing my network and such much like many here have done. BUT THIS POST SAVED MY ASS! THANK YOU FOR THIS SUGGESTION! Great community! Yes I know I screamed this but I am jumping for joy! Thanks thanks thanks.

1 Like