Redfin
Posts: 5
Joined: Fri Feb 23, 2018 8:39 pm

OpenVPN client configuration

Fri Feb 23, 2018 8:55 pm

Yes, I'm a newbie, and I'm coming up the learning curve quickly. However, despite working on this for a week and a half, I'm no closer to a solution.

Below I'm attempting to establish a RaspberryPi as a remote OpenVPN client. I have established the OpenVPN tunnel and am able to ping hosts on my server-side network. However I'm not able to ping the ethernet side (eth0) of the RaspberryPi. I have attempted numerous "route" and "iptables" instructions (based on various readings) which I won't bother to list here.

Here is a picture of the situation. I hope this paints the entire picture. Thanks for your help!

Image

epoch1970
Posts: 1946
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN client configuration

Sat Feb 24, 2018 9:46 am

The picture is broken.
You can try some ASCII art and copy/paste in a [code  ] ... [/code  ] block instead: http://asciiflow.com
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Redfin
Posts: 5
Joined: Fri Feb 23, 2018 8:39 pm

Re: OpenVPN client configuration

Sat Feb 24, 2018 9:38 pm

Here's the ASCII version of the picture. The issue I'm having is reflected in the lower right corner showing the "pings" are failing.

Code: Select all

      Internet                                                        Internet
            +                                                               +
            |                                                               |
            |                                                               |
   +------------------+                                             +-----------------+
   |                  |                                             | ASUS Router     |
   |     iPhone       |                                             | (OpenVPN SERVER)|
   |  172.20.10.1     |                                             | 10.2.200.1      |
   +------------------+      +----------------------------------+   +-----------------+
            |                |    OpenVPN (tun0)          10.8.0.1          | Push "route 172.20.10.0
            |                |                                              |      255.255.255.0 10.8.0.2"
            |                |                                              |
   +------------------+      |                                      +-----------------+
   |                  |      |                                      | Desktop         |
   |  TP-Link pass thru      |                                      |                 |
   |                  |      |                                      | 10.2.200.2      |
   +------------------+      |                                      +-----------------+
            |                v
            |      +---------+
            |      |
            |      |                  [email protected]:/ $    sysctl net.ipv4.ip_forward
            |      |                  Net.ipv4.ip_forward = 1
       eth0 |      |tun0
172.20.10.3 |      |10.8.0.2          [email protected]:/ $    ip route
            |      ^                  Default via 172.20.10.1 dev eth0 src 172.20.10.3 metric 202
   +------------------+               10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2
   |                  |               172.20.10.0/28 dev eth0 proto kernel scope link src 172.20.10.3 metric 202
   |Raspberry Pi      |  <----------+ 172.20.10.0/24 via 10.8.0.2 dev tun0
   |                  |
   +------------------+
                 client.conf
                    ifconfig  10.8.0.2  10.8.0.1

   Ping 172.20.10.1 - Success                                     Ping 10.8.0.1 - Success
   Ping 172.20.10.3 - Success                                     Ping 10.8.0.2 - Success
   Ping 10.2.200.x - Success                                !!!!! Ping 172.20.10.1 - FAIL  <---------+
                                                            !!!!! Ping 172.20.10.3 - FAIL <----------+

rosswiebe
Posts: 4
Joined: Fri Feb 23, 2018 3:11 pm

Re: OpenVPN client configuration

Sat Feb 24, 2018 10:09 pm

Sorry if i don't understand this but can you point out the location of 172.20.10.1 and 172.20.10.3? I can't find them on your path.

Redfin
Posts: 5
Joined: Fri Feb 23, 2018 8:39 pm

Re: OpenVPN client configuration

Sun Feb 25, 2018 3:22 am

172.20.10.3 is the Raspberry Pi, and 172.20.10.1 is the iPhone (both on the left side of the diagram).

epoch1970
Posts: 1946
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN client configuration

Sun Feb 25, 2018 1:48 pm

Have you gone through this: https://openvpn.net/index.php/open-sour ... html#scope
That is, section title "Expanding the scope of the VPN to include additional machines on either the client or server subnet", both client and server sides.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Redfin
Posts: 5
Joined: Fri Feb 23, 2018 8:39 pm

Re: OpenVPN client configuration

Sun Feb 25, 2018 3:18 pm

epoch1970, yes, I did follow those instructions.

However, I can't implement the client-config-dir (ccd) directory on the server side because the OpenVPN server runs on my ASUS RT-N66U router, and the router GUI interface over-writes (deletes) the ccd file when OpenVPN starts.

I'm wondering if there's a different way to achieve the same thing.

epoch1970
Posts: 1946
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN client configuration

Sun Feb 25, 2018 7:00 pm

Well I'm far from the specialist of OVPN in routed mode (or server mode).

But I think the old "peer-to-peer" mode, suited for site-to-site connections is much simpler.
https://openvpn.net/index.php/open-sour ... howto.html

The static key is not mandatory here, but it helps demonstrate how the setup is simple. At the bottom of the page, you have the "route" statement your client config needs for "site-to-site".
(The supposed down-side of p2p is that you need one instance of openvpn, and one tun or tap interface, per tunnel. Server mode was invented because Windows -at that time- had issues with multiple tun/tap devices. On linux/BSD this never was a problem.)

The other solution is to use a bridged config. Then you'd have no route to setup at all. I suppose the Asus can handle bridging? The Pi surely can.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Redfin
Posts: 5
Joined: Fri Feb 23, 2018 8:39 pm

Re: OpenVPN client configuration

Sun Feb 25, 2018 11:04 pm

Problem solved - as follows:

The issue had to do with the server side client ccd file (in my case called client). On the ASUS router the default place to put this file is:

Code: Select all

/etc/openvpn/server1/ccd

However, this location is a RAM location in the router and does not survive settings changes (at least for me).

So, the solution was to enable jffs in the router's Administration menu which opens an area of internal flash. There I created a folder structure and saved the appropriate client file.

I added this directive to the server config file:

Code: Select all

client-config-dir /jffs/configs/openvpn/ccd

Per OpenVPN requirements the client file looked like this;

Code: Select all

iroute 172.20.10.0 255.255.255.0

I also changed the server side configuration to include:

Code: Select all

route 172.20.10.0 255.255.255.0
All per:

https://openvpn.net/index.php/open-sour ... html#scope

I can now ping the clients local network from the server side.

Thanks for allowing me to post my question.

Redfin

Return to “Troubleshooting”

Who is online

Users browsing this forum: No registered users and 34 guests