Koozali.org: home of the SME Server

access local lan from open VPN

Offline robf355

  • *
  • 70
  • +0/-0
access local lan from open VPN
« on: September 11, 2020, 11:29:21 AM »
Hi
I've installed openvpn in routed and bridge mode (bridge mode disabled) routed used to access from android tablet / phone, I can acess all services running on the server (192.168.0.10), I would like to be able to access the rest of my local lan (192.168.0.0/24) but the client android phone can't connect to any ip address other than the server.
I've added the following to config to the openvpn.conf file using the template:

db configuration setprop openvpn-routed RedirectGateway enabled

I also tried adding push "route 192.168.0.0 255.255.255.0" openvpn.conf, but when i issue signal-event openvpn-routed-update the line is deleted, is there way to add this in using the db configuration setprop command as the route property isn't listed in the contrib howto
Either way the above doesn't allow me to access the internal lan. Can anyone help out?
Regards
Rob Carter
server config:
Code: [Select]
port 1194
proto udp
dev tunvpn0
user openvpn
group openvpn
chroot /etc/openvpn/routed
persist-key
persist-tun
# Certificates config
dh pub/dh.pem
ca pub/cacert.pem
cert pub/cert.pem
key priv/key.pem
tls-server
crl-verify pub/cacrl.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
server 192.168.29.0 255.255.255.0
topology subnet
up /etc/openvpn/routed/bin/up
script-security 2
# Options
keepalive 40 180
push "dhcp-option DOMAIN kjctechnik.com"
push "dhcp-option DNS 192.168.0.10"
push "dhcp-option WINS 192.168.0.10"
mtu-test
mssfix
passtos
comp-lzo adaptive
push "comp-lzo adaptive"
nice 5
push "redirect-gateway def1"
management 127.0.0.1 11195 management-pass.txt
client-config-dir ccd
status-version 2
status bridge-status.txt
suppress-timestamps
verb 3
« Last Edit: September 11, 2020, 11:52:37 AM by robf355 »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: access local lan from open VPN
« Reply #1 on: September 11, 2020, 12:14:31 PM »
With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers.

In routed mode I think you need to either open specific firewall rules to allow traffic to the rest of your network, or you would need to add the VPN subnet to 'Local Networks'

[caveat: I have never used openvpn on SME...]

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: access local lan from open VPN
« Reply #2 on: September 15, 2020, 01:04:50 PM »
Hmm. Not sure you have got this right.

By default you will connect on a routed network 192.168.29.x

Code: [Select]
my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
IOW  - no 'Network' set then use 192.168.29.0/24

That should have the local networks pushed unless you have changed anything?

Quote
I also tried adding push "route 192.168.0.0 255.255.255.0" openvpn.conf, but when i issue signal-event openvpn-routed-update the line is deleted, is there way to add this in using the db configuration setprop command as the route property isn't listed in the contrib howto

You should not need to do anything manually...... SME is a templated system. You can adjust the content of configs with the config DB keys. The only way to really override this is to use custom-templates but you should not need them here.

If you accept the defaults then you should be able to see machine on your local networks as they are pushed by default:

Code: [Select]
$pushRoutes =  ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
So, whatever you have done, undo and start again as there are no pushed routes in your config.

Here's the conf from one of mine:

(VPN server is 192.168.97.1)

Code: [Select]
push "route 10.0.0.0 255.255.255.0 192.168.97.1"
push "route 192.168.10.0 255.255.255.0 192.168.97.1"
push "route 192.168.97.0 255.255.255.0"

Look at the settings here:

https://wiki.contribs.org/OpenVPN_Routed

Also check for the settings in OpenVPN documentation as well so you fully understand what you are doing.

You can check how and where the DB settings are applied by looking through the templates eg

Code: [Select]
cd /etc/e-smith/templates

grep -rn openvpn-routed

Redirect Gateway determines if all your data is pushed across the default gateway to the to the internet, or only the data to the Open Server network/networks.

By default it is disabled:

Code: [Select]
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || 'disabled';
But note that this can be overridden in your client config (I presume the server will take precedence but never checked)

Something like this in the ovpn config file:

Code: [Select]
route 0.0.0.0  0.0.0.0 vpn_gateway
Also make sure you have compression disabled and do not use it in your client configs or you will get some moaning and whining eg "IP packet with unknown IP version=15 seen"

Code: [Select]
config setprop openvpn-routed Compression disabled
Show:

Code: [Select]
config show openvpn-routed
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation