Vpn traffic routing

ns_nirosh · July 26, 2023, 7:14pm

Hello all, I am confused about our openvpn connection.
One of our worker who is working from home is using shared folder on ibay to save CAD docs that complains it is very difficult to work on shared folder. Eventhough the file size is 35mb it takes so long to save documents over the vpn connection to shared ibay folder. I am trying to understand that;

is the connection is based on “routing all traffic over the openvpn” ? if yes how can I verify.
In this situation it is more efficent to use "ROUTING ALL TRAFFIC through OPENVPN or not ?
if not we have another issue to consider about.

thanks in advance.

Andy_Wismer · July 26, 2023, 9:31pm

Hi

No 2 is better!

How fast is your Internet, that of the user concerned?

My 2 cents
Andy

ns_nirosh · July 26, 2023, 9:47pm

Hi Andy, it has a download speed 234mbps and 70mbps upload. How can i check and configure for 2nd option as you said in server and client?

Andy_Wismer · July 26, 2023, 9:53pm

Internet speeds should be gould enough (Sure it’s not a GB as on a local PC, but better than nothing

Set the VPN as shown, see red box!

Myy 2 cents
Andy

ns_nirosh · July 27, 2023, 7:19am

I will check this option sooner the better. And on client-side do i have to do something?

Andy_Wismer · July 27, 2023, 7:23am

Hi @ns_nirosh

You may need to reexport and import the client certificate / config on the client.

Note:

This option can also be edited on the client pc / notebook, there should be an entry in the ovpn.conf file (Or whatever name you’re using).

If you do not feel comfortable editing the file, just reexport the config and import it into whatever OpenVPN client you’re using.

It should work!

My 2 cents
Andy

ns_nirosh · July 27, 2023, 7:45am

Hi Andy, when I check my settings i can see these settings.
I would ask you to give me help about;

connect this server public IP /host - what kind of IP should i insert there?
compression is OK LZO ? I think you have costomized LZ4
do i have to enable Allow client to client traffic ? (bcos i don’t have option - Route all client trffic through vpn)- I have bridge mode not routed mode.
topology is set with obsolete, may i change it ?

Thanks,

Andy_Wismer · July 27, 2023, 11:52am

Hi @ns_nirosh

Sorry, was out of office…

I’d erase the OpenVPN configuration and recreate it as the more modern “routed” instead of “bridged”.

This gives you a few options more…

LZO4 generally works, but so does the older compression. The newer gives better rates, especially if using the suggested cipher / digest and SHA512 & GCM…

→ This alone can bring an almost 80% increase - or more in transfer speeds!

My 2 cents
Andy

ns_nirosh · July 27, 2023, 12:05pm

Dear Andy, I setup virtual network to realise the concept.
I want to know that our server green ip address is 192.168.100.0 /24. But routed vpn is 10.0.0.0. /24. Can i access webpage on another server which is 192.168.100.120?

Andy_Wismer · July 27, 2023, 12:11pm

Hi

This should be no problem.

Your NethServer is your default gateway, so all other servers / hosts will use that IP (NethServer LAN “Green” IP) to return any packets.

The complete vpn network (10.0.0.0/24)= should be entered in all NethServers “Trusted Networks” (If you have more than one NethServer).

I tend to use 10.99.X.0/24 as VPN network, where X is equal to the 3rd Octet of the LAN IP.
LAN: 192.168.100.0/24
VPN: 10.99.100.0/24

The 10.99 signifies for me a VPN, the third octet signifies which client network I’m connecting to…

The above is probably a Typo, as 192.168.100.0 /24 is NOT a valid IP adress for a host, it’s for a complete network. Probably you mean 192.168.100.1 /24.

My 2 cents
Andy

ns_nirosh · July 27, 2023, 1:05pm

Thanks for better explaination. I want to mention you that all the clients are connecting to vpn from home, not at the premises where the server is situated. it’ll not be a problema to access other resouces of the server side network ?

Andy_Wismer · July 27, 2023, 1:10pm

No, as said, all PCs, printers and other servers will use your NethServer as Gateway, so they should have no issues.

The only caveat (problem) can be when servers have an additional firewall protection, like NethServer has with it’s “Trusted Networks” feature. Here the system needs to know that the VPN network is “trusted” and access is OK.

My 2 cents
Andy

ns_nirosh · July 27, 2023, 1:47pm

I have trunsted networks like 192.168.100.0 automatically assigned. I think it will not be a problem as you explained.
I have a question about onething - I cannot use “speedtest.net” to check speed when i connect to openvpn. I have to find a solution also to that problem ?

Andy_Wismer · July 27, 2023, 1:49pm

Check if it’s entered somewhere like in DNS of NethServer…

ns_nirosh · July 27, 2023, 4:57pm

YES. it’s entered in the DNS but not as broadcast, written as 192.168.100.5 .

Andy_Wismer · July 27, 2023, 5:00pm

Do you know why it’s there?

This looks like a null-routed service, maybe for testing. The domain should not work from LAN or VPN, unless 192.168.100.5 is something special, like a Proxy…

ns_nirosh · July 27, 2023, 7:23pm

Ok , now as you explained here i shoud put the vpn address (10.0.0.1) in trusted network module?

Andy_Wismer · July 27, 2023, 7:24pm

Not just a host-IP, but the full network:

10.0.0.0/24

My 2 cents
Andy

ns_nirosh · July 27, 2023, 7:45pm

Ok thanks very much for the support. I will implement this on server physically and let you know

ns_nirosh · August 29, 2023, 2:54pm

Hello Andy, I have setup the routed VPN and found a good connection which uploads 600mb file within 2min from client to server. I am appriciating your big help for implement this in the correct way. See you next time.