Posted: Thu Nov 17, 2022 17:35 Post subject: [SOLVED] Access from the LAN a device connected with OpenVPN
Hi,
I have a question regarding the accessibility from the LAN of devices connected through the VPN Server.
My LAN is managed by an Asus RT-AC66U router with DD-WRT installed on it and the external access is controlled by the OpenVPN server of DD-WRT.
Everything is working fine. From Internet, I can connect to my router via the OpenVPN access and I can access my LAN. From the LAN, I also see the client on the OpenVPN Status page and I can ping the IP address of the client (10.8.0.2 while the LAN is on 192.168.1.x).
BUT... without any additional setting, from the LAN, from the Windows Explorer of a computer on the LAN for example, it looks like I cannot access a shared folder on the OpenVPN client.
So my question is: how can I access the OpenVPN client from the LAN?
What are the specific settings to make it possible?
Should the OpenVPN client also get a 192.168.1.x IP address?
We probably need to add a route somewhere but I'm not a specialist.
Thanks for your help!
Last edited by FTP on Fri Nov 18, 2022 15:43; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Thu Nov 17, 2022 19:29 Post subject:
What build are you using?
You face three potential problems.
The most important one is the firewall of the client this might be the culprit of blocking access.
Second problem is that the client can have a varying IP address, so you might consider using CCD files to give that particular client a fixed IP address (there are other possibilities e.g. ifconfig-pool-persist /tmp/openvpn/ifpool, but you always have to use unique keys/cert per client and disable "Allow Duplicate Clients" )
The most important one is the firewall of the client this might be the culprit of blocking access.
Ok. I'll try to disable it for a test.
egc wrote:
Second problem is that the client can have a varying IP address, so you might consider using CCD files to give that particular client a fixed IP address (there are other possibilities e.g. ifconfig-pool-persist /tmp/openvpn/ifpool, but you always have to use unique keys/cert per client and disable "Allow Duplicate Clients" )
I'm not sure to understand.
So far, the only IP address I know is the one under OpenVPN: 10.8.0.2
And so far, every time I run a test, it's the same IP address for the client.
So are you talking about this IP address that could be different?
Or are you talking about an IP address that this OpenVPN client should get on the LAN (an address like 192.168.1.xxx)?
egc wrote:
Third possible problem, the client has to share directories/files to allow access from outside
It does.
For the purpose of my test, one folder is shared and I can access it when the computer connecting the OpenVPN is on the LAN.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Fri Nov 18, 2022 7:06 Post subject:
I would recommend to upgrade to the latest build 50841, lots of changes, enhancements and (minor) security fixes.
No reset necessary.
I am indeed referring to the 10.8.0.x IP address your tun adapter gets from the server.
Even if you only have one client connecting, it can get another address e.g. 10.8.0.3 if you disconnect and shortly after that reconnect.
Of course you can always see it on the status page and if you are satisfied with that that is fine with me _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I would recommend to upgrade to the latest build 50841, lots of changes, enhancements and (minor) security fixes.
No reset necessary.
Ok. Thanks for the advise, I will.
egc wrote:
I am indeed referring to the 10.8.0.x IP address your tun adapter gets from the server.
Even if you only have one client connecting, it can get another address e.g. 10.8.0.3 if you disconnect and shortly after that reconnect.
Of course you can always see it on the status page and if you are satisfied with that that is fine with me
You're absolutely right. I had this in mind but I removed the question from my 1st post to simplify my request. Obviously it's important but it was not the priority to make tests. 1st make sure it can work, I can access the device, 2nd secure the access by fixing the IP address.
I did a quick search on CCD files and I'll try setup this fixed address by myself.
egc wrote:
The most important one is the firewall of the client this might be the culprit of blocking access.
Bingo!
Yes, it's the Windows firewall for Public network.
So I guess I need to add a rule on the Windows Firewall (Settings > Update & Security > Windows Security > Firewall & network protection > Advanced settings)?
Can you guide me for the appropriate rule?
Windows mention as Active public network: "OpenVPN TAP-Windows6 2".
Now I'll try to follow your server guide for the CCD files but I'll probably have some questions...
Ok done, it also works!
What I've done is prepare 4 CCD files:
client1 -> ifconfig-push 10.8.0.251...
client2 -> ifconfig-push 10.8.0.252...
client3 -> ifconfig-push 10.8.0.253...
client4 -> ifconfig-push 10.8.0.253... (same fix IP address as it's the same device as client3, just 2 different methods of connexion)
I've put them all 4 in /openvpn/ccd/
And I've added 4 line in Administration/Commands/Startup.
Now 2 questions:
Instead of adding lines to Administration/Commands/Startup, why can't we still add
"client-config-dir /tmp/openvpn/ccd/" to the Additional config?
The change of directory from jffs to openvpn blocks this command?
And you say...
Quote:
You can add extra lines to this file with:
echo "iroute 192.168.6.0 255.255.255.0" >> /tmp/openvpn/ccd/client1
Instead of adding lines to Administration/Commands/Startup, why can't we still add
"client-config-dir /tmp/openvpn/ccd/" to the Additional config?
The change of directory from jffs to openvpn blocks this command?
If you use /jffs then you can just make the files and keep them permanent on /jffs.
The line you are referring to is if you do not have /jffs
Are you sure?
On your last server guide (v28) you write page 29...
Quote:
you have to tell the OVPN server where it can find these files, so in the Additional config of the OVPN server add: client-config-dir /jffs/ccd
This tells the server to find the CCD files in the directory /jffs/ccd
Then below...
Quote:
Alternatively, if you do not have permanent storage, just use the default directory (/tmp/openvpn/ccd) so do not set client-config-dir and make the CCD files every time at startup:
echo "ifconfig-push 10.8.0.254 255.255.255.0" > /tmp/openvpn/ccd/client1
Place this in Administration/Commands, Save as Startup
So my question is: why can't we add "client-config-dir /tmp/openvpn/ccd/" to the Additional config?
Why does the change of directory from jffs to openvpn block this command?
You either use permanent storage with jffs and save the ccd files there or do not use permanent storage and recreate the files at startup.
Choice is yours
Hum... I'm sorry, I'm still not sure to understand.
Are you saying we have the following choices?
1/ CCD file(s) stored with jffs + add "client-config-dir /jffs/ccd" to the Additional config
or
2/ CCD file(s) stored in /tmp/openvpn/ccd + add "client-config-dir /tmp/openvpn/ccd" to the Additional config
or
3/ No CCD files at all, but add command line(s) in startup commands that recreate the files at startup
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Fri Nov 18, 2022 17:53 Post subject:
FTP wrote:
egc wrote:
You either use permanent storage with jffs and save the ccd files there or do not use permanent storage and recreate the files at startup.
Choice is yours
Hum... I'm sorry, I'm still not sure to understand.
Are you saying we have the following choices?
1/ CCD file(s) stored with jffs + add "client-config-dir /jffs/ccd" to the Additional config
or
2/ CCD file(s) stored in /tmp/openvpn/ccd + add "client-config-dir /tmp/openvpn/ccd" to the Additional config
or
3/ No CCD files at all, but add command line(s) in startup commands that recreate the files at startup
You can do 1.
But if you do not have permanent storage than you do not have to put anything in the additional config, you can put "client-config-dir /tmp/openvpn/ccd" in the additional config but that is already the default so not necessary.
If you do not have permanent storage you have to recreate the ccd files at startup, because after a reboot they are gone because well the storage is not permanent.
You do this with and I quote from the Server setup guide paragraph about CCD files:
Quote:
echo "ifconfig-push 10.8.0.254 255.255.255.0" > /tmp/openvpn/ccd/client1
Place this in Administration/Commands, Save as Startup
As you have multiple clients you have to use one line for each client with the corresponding key name so for client2:
echo "ifconfig-push 10.8.0.253 255.255.255.0" > /tmp/openvpn/ccd/client2
and so on for each client.
The name of the client key is the name of the CCD file