Page 1 of 3
[solved] OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Tue Nov 14, 2017 5:59 pm
by vdmz
OpenVPN functionality: "Allow Clients To Access Hosts on LAN" has no effect. GUI interface shows it as selected (configuration saved), but VPN clients are not able access LAN hosts.
OpenVPN 2.3.18 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 25 2017
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc.
mode server
port 1194
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
cipher AES-256-CBC
dev tun
keepalive 25 180
status /var/run/openvpn_status
verb 3
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
persist-key
persist-tun
comp-lzo
push "topology subnet"
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Tue Nov 14, 2017 8:35 pm
by ispyisail
Code: Select all
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Wed Nov 15, 2017 5:19 pm
by vdmz
Mentioned directive allows to see VPN clients only. Router's non-vpn hosts on LAN are not included there.
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Wed Nov 15, 2017 6:54 pm
by ispyisail
Router's non-vpn hosts
example?
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Wed Nov 15, 2017 8:52 pm
by vdmz
You do not need any examples. It will be enough to know that Router menu: (Connection -> OpenVPN -> "OpenVPN Server: Configuration") contains next settings:
"Client-To-Client Traffic:" - that is the place which enables/disables the directive you mentioned above.
"LAN Subnet Access:" - that functionality should enable access for VPN users to LAN hosts if it is selected ("Allow Clients To Access Hosts on LAN"). But as i wrote before, this functionality does not work.
P.S. Observed that changing "LAN Subnet Access:" functionality from "Allow Clients To Access Hosts on LAN" to "Clients Can Not Access LAN" and vice versa, does not make any changes in "/etc/openvpn/server.conf" file and routing tables.
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Fri Nov 17, 2017 2:08 am
by rseiler
Do you mean as of 1.10, or older versions too?
I haven't seen a change in 1.10 in accessing hosts on the LAN [only Windows tested]. Do they even ping?
Re: OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Sun Nov 19, 2017 5:54 pm
by vdmz
Seems the issue is not on all OS. At least it is on iOS.
The solution is to modify client configuration file in the path: "/etc/openvpn/ccd":
Modify the line below from:
push "route 192.168.1.1 255.255.255.0 10.8.0.1"
To:
push "route 192.168.1.1 255.255.255.0 vpn_gateway"
This solution does not brake configuration for other OS. Tested on iOS and Linux (Debian).
Found the same topic here:
viewtopic.php?t=3806#p32270
P.S. Gargoyle developers should pay attention to this post and modify their "auto-generation" script for client configuration file.
P.S. Suggestion for moderator to open the ticket in the bug list.
Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Sun Nov 19, 2017 10:33 pm
by Lantis
@ispy
Can you please test this on Windows?
I don’t use it so can’t test.
@vdmz
Please feel free to open your own bug report, otherwise it will go on the already very long list of things I have to do
Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Mon Nov 20, 2017 4:46 am
by ispyisail
so
"Allow Clients To Access Hosts on LAN"
At the moment this has no effect? or ......
Just need to make a test to confirm
Re: [solved] OpenVPN: Allow Clients To Access Hosts on LAN
Posted: Mon Nov 20, 2017 4:17 pm
by vdmz
so
"Allow Clients To Access Hosts on LAN"
At the moment this has no effect? or ......
Just need to make a test to confirm
"Allow Clients To Access Hosts on LAN" - has effect, but generated configuration does not work on all OS (see my post above). To make it work on all OS, auto-generated files in the path: "/etc/openvpn/ccd/" should change next string generation:
FROM:
push "route 192.168.1.1 255.255.255.0 10.8.0.1"
TO:
push "route 192.168.1.1 255.255.255.0 vpn_gateway"
The main thing here is change auto-generation script to add, as shown in bold, vpn_gateway instead of direct VPN server address (10.8.0.1).
This will elliminate the error on the iOS client side which is:
route destinations other than vpn_gateway or net_gateway are not supported
ispyisail, if you take a look into this
topic, you will find more explanations regarding this issue.