Posted: Sun Jun 17, 2018 16:08 Post subject: openvpn working - but no access to local network
DDWRT build 36006
Hi, I have openvpn authenticating and connecting, but I am lost in the routing and firewalls.
My home network is 192.168.1.0/24. When I connect via OpenVPN I get address 192.168.11.2 - so that seems OK. I am also connecting from an external network in my tests (mobile).
I would like to be able to access home resources remotely. I don't care if it's bridging or tunneling except I understand tunneling is less load on the network. So I have it setup as tunneling.
I can't make sense of whether I need to push a route, or whether I need to add special iptables rules. Please let me know what commands to add.
Make sure the local network used by the mobile device is NOT also using 192.168.1.0/24. Because if it is, then the client will never route traffic to 192.168.1.0/24 over the tunnel since it considers it local.
That's why using 192.168.1.0/24 or 192.168.0.0/24 for your home network are NOT good choices if you intend to use your own OpenVPN server for remote access. Being so common, there's just too much risk of a network collision. Better to use something more obscure at home (e.g., 10.87.13.0/24).
The IP address from my mobile broadband is in the range of:
172.20.10.2/28
Another common problem is failing to NAT the tunnel on the OpenVPN client. When using dd-wrt (and probably other routers as well) for the OpenVPN client, you need to enable this option explicitly. On other platforms (Windows, Mac, mobile devices, etc.), this is *usually* done automatically, although there may be exceptions. And, of course, I can't speak for every possible platform that might be out there.
I don't see an option on DDWRT OpenVPN for enabling NAT. Is this the type of thing I should write iptables rules with?
Posted: Sun Jun 17, 2018 19:37 Post subject: Re: openvpn working - but no access to local network
Per Yngve Berg wrote:
nachumk wrote:
server 192.168.11.0 255.255.255.0
192.168.11.0 is a network. The server should have a node address 192.168.11.1
With 192.168.11.1, I get this error when trying to connect:
Jun 17 19:32:18 DD-WRT daemon.err openvpn[6469]: Options error: --server directive network/netmask combination is invalid
Another common problem is failing to NAT the tunnel on the OpenVPN client. When using dd-wrt (and probably other routers as well) for the OpenVPN client, you need to enable this option explicitly. On other platforms (Windows, Mac, mobile devices, etc.), this is *usually* done automatically, although there may be exceptions. And, of course, I can't speak for every possible platform that might be out there.
I don't see an option on DDWRT OpenVPN for enabling NAT. Is this the type of thing I should write iptables rules with?
If you're using a dd-wrt OpenVPN client, it's under the Advanced Options.
Do I need to enable NAT for the OpenVPN server on DDWRT? The router runs the server, my MacBook runs the client. Should I enable NAT in the client?
Do I need to enable NAT for the OpenVPN server on DDWRT? The router runs the server, my MacBook runs the client. Should I enable NAT in the client?
No. That's why I keep qualifying my response to the issue of NAT w/ the OpenVPN *client*! Some OpenVPN clients might expose this as an option, others may hide it and do it automatically. Just depends on the platform.
OK, yes, I see that you mention enabling NAT on the client. I can't find any option for that, so I'm searching. I'm using MacOS Tunnelblick. I see nothing in the OpenVPN documentation regarding a nat option in the client config file. I'll keep searching.
P.S. NAT'ing the tunnel is really only necessary if you're using the OpenVPN client as a gateway. IOW, once the OpenVPN client is connected, you configure that device to allow other devices on the same LAN (as the OpenVPN client) to use it as a gateway to access the tunnel and remote network (ala the dd-wrt router's OpenVPN client). If it's just a simple OpenVPN client and that's the *only* device accessing the remote LAN over the OpenVPN server, then it *isn't* a requirement.
Then I shouldn't need NAT on the client. I am just trying to access my internal network from the 1 machine running the OpenVPN client.
But I still can't get through. This is very frustrating. Are there other logs I can provide?
If the problems persist, then post the openvpn client and server logs (make sure you're actively attempting to use the connection at the time). There might be a clue in there.
If the problems persist, then post the openvpn client and server logs (make sure you're actively attempting to use the connection at the time). There might be a clue in there.
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
That's a common problem. If the client and server are out of sync wrt this setting, they can't communicate, even if everything else appears normal. That's why it's important to see the logs!