Access Client side LAN on VPN server
Solution 1
Two things:
Are you sure you have your local network Ok? If the gateway is 10.1.1.253, and the netmask is 255.255.255.252, pcs 10.1.2.2 and 10.1.2.14 are not on the same network as the gateway.
-
The packet from the Ocean server comes bearing as an IP address the other end of the OpenVPN tunnel, presumably 10.8.0.1. When this reaches 10.1.2.2, this sees it belongs to a different subnet than its own, and will thus try to forward its reply the only way it knows, i.e. via the gateway, not via the OpenVPN client. Hence the return ping never comes back.
The way to circumvent this is to add the following
iptables
rule on the RPI:iptables -t nat -A POSTROUTING -d (here your local network) -j MASQUERADE
This way the packet will be sent back to the OpenVPN client. I did not insert your network because it is not clear which one that is: if it is 10.1.2.0/30 please insert that, or modify accordingly.
Solution 2
What you want to do is called LAN-to-LAN. The solution is to have the correct routes on your VPN client and VPN server. You usually do the client-side config by "pushing" the routing information from the server to the client.
Have a look at this: https://community.openvpn.net/openvpn/wiki/RoutedLans
also: https://serverfault.com/questions/593314/openvpn-routing-for-lan-to-lan-through-tun
Related videos on Youtube
Bhushan
Updated on September 18, 2022Comments
-
Bhushan over 1 year
Till now I have managed to installed OpenVPN server on DigitalOcean and OpenVPN client on Raspberry Pi. My Raspberry Pi's OpenVPN IP is 10.8.0.6 which I can ping from OpenVPN server. Now this RPi is connected to LAN netword(gateway 10.1.1.253, SubnetMask:255.255.252.0) by IP 10.1.2.14. There is another Linux system connected to this client's(RPi) network and its IP is 10.1.2.2.
Now I want to access 10.1.2.2 from OpenVPN server via VPN. Can anybody explain me how should I do this ?
EDIT: As per @masgo's suggestion, I did following
- In
server.conf
file, addedclient-config-dir /etc/openvpn/ccd
,route 10.1.0.0 255.255.252.0
andpush "route 10.1.0.0 255.255.252.0"
- In /etc/openvpn/ccd/lappy file, added
iroute 10.1.0.0 255.255.252.0
- Now I am able to ping to ip 10.1.2.14(OpenVPN's client) from OpenVPN server but not to ip 10.1.2.2. What I am missing in client side routing?
- In
-
Bhushan over 7 yearsMy netmask is not
255.255.255.252
but255.255.252.0
-
Bhushan over 7 yearsSo I need to add following command in RPi
iptables -t nat -A POSTROUTING -d 10.1.0.0 / 22 -j MASQUERADE
. Right ? -
MariusMatutiae over 7 years@BhushanPatil That's right. As for the network, apologies, my bad.
-
MariusMatutiae over 7 years@BhushanPatil No space in 10.1.0.0/22, careful.
-
Bhushan over 7 yearsTHAT WORKED. thank you very much. But I am new to networking stuff, so will you explain me what this command
iptables -t nat -A POSTROUTING -d 10.1.0.0/22 -j MASQUERADE
doing magic here ? -
MariusMatutiae over 7 years@BhushanPatil Sure: it rewrites the IP header of every frame sent, with its own IP address for the sender, to make it look like the frames are sent from the RPI instead of being passed on from the Ocean server. It also keeps track of all conversations automagically, so that when the reply comes, the RPI knows that the reply is really for the Ocean server, not for itself.