[solved] OpenVPN: Allow Clients To Access Hosts on LAN

[vdmz]

OpenVPN functionality: "Allow Clients To Access Hosts on LAN" has no effect. GUI interface shows it as selected (configuration saved), but VPN clients are not able access LAN hosts.

OpenVPN 2.3.18 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 25 2017
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc.

mode server
port 1194
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd





cipher AES-256-CBC


dev tun
keepalive 25 180
status /var/run/openvpn_status
verb 3


dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0

persist-key
persist-tun
comp-lzo

push "topology subnet"
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"

[ispyisail]

Code: Select all

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

[vdmz]

Mentioned directive allows to see VPN clients only. Router's non-vpn hosts on LAN are not included there.

[ispyisail]

Router's non-vpn hosts

example?

[vdmz]

You do not need any examples. It will be enough to know that Router menu: (Connection -> OpenVPN -> "OpenVPN Server: Configuration") contains next settings:

"Client-To-Client Traffic:" - that is the place which enables/disables the directive you mentioned above.

"LAN Subnet Access:" - that functionality should enable access for VPN users to LAN hosts if it is selected ("Allow Clients To Access Hosts on LAN"). But as i wrote before, this functionality does not work.

P.S. Observed that changing "LAN Subnet Access:" functionality from "Allow Clients To Access Hosts on LAN" to "Clients Can Not Access LAN" and vice versa, does not make any changes in "/etc/openvpn/server.conf" file and routing tables.

[rseiler]

Do you mean as of 1.10, or older versions too?

I haven't seen a change in 1.10 in accessing hosts on the LAN [only Windows tested]. Do they even ping?

[vdmz]

Seems the issue is not on all OS. At least it is on iOS.
The solution is to modify client configuration file in the path: "/etc/openvpn/ccd":

Modify the line below from:

push "route 192.168.1.1 255.255.255.0 10.8.0.1"

To:

push "route 192.168.1.1 255.255.255.0 vpn_gateway"

This solution does not brake configuration for other OS. Tested on iOS and Linux (Debian).

Found the same topic here: viewtopic.php?t=3806#p32270

P.S. Gargoyle developers should pay attention to this post and modify their "auto-generation" script for client configuration file.

P.S. Suggestion for moderator to open the ticket in the bug list.

[Lantis]

@ispy
Can you please test this on Windows?
I don’t use it so can’t test.

@vdmz
Please feel free to open your own bug report, otherwise it will go on the already very long list of things I have to do

[ispyisail]

so

"Allow Clients To Access Hosts on LAN"

At the moment this has no effect? or ......

Just need to make a test to confirm

[vdmz]

so

"Allow Clients To Access Hosts on LAN"

At the moment this has no effect? or ......

Just need to make a test to confirm

"Allow Clients To Access Hosts on LAN" - has effect, but generated configuration does not work on all OS (see my post above). To make it work on all OS, auto-generated files in the path: "/etc/openvpn/ccd/" should change next string generation:

FROM:

push "route 192.168.1.1 255.255.255.0 10.8.0.1"

TO:

push "route 192.168.1.1 255.255.255.0 vpn_gateway"

The main thing here is change auto-generation script to add, as shown in bold, vpn_gateway instead of direct VPN server address (10.8.0.1).

This will elliminate the error on the iOS client side which is:

route destinations other than vpn_gateway or net_gateway are not supported

ispyisail, if you take a look into this topic, you will find more explanations regarding this issue.