Member
Posts: 149
Registered: ‎01-23-2017
Kudos: 28
Solutions: 6
Accepted Solution

ERX OpenVPN can't connect to LAN from remote client.

[ Edited ]

I'm trying to setup openVPN so a staff member can connect to an internal server behind the ERX remotely. 

The old setup just had the RDP port from the server forwarded to the internet. Obviously that's bad. I changed it last year to use OpenVPN and it worked succesfully but after I updated to firmware v1.10.0 the config cot erased. 

 

Anyways I've redone the setup, I've attached the config for the ERX and the openVPN config below.

 

The openVPN subnet is 192.168.100/24

The LAN is 192.168.2.0/24, I only need to reach one device on the LAN side which is at 192.168.2.15 

Its running windows server 2012 if that helps. From what I remember I didn't have to change anything on windows to get this to work. All I need is RDP access, nothing else. 

 

The client is on Windows 10. I can sucessfully connect to openVPN on the ERX remotely. 

The client computer gets an IP in the 192.168.100.x range.

 

I used this guide - https://loganmarchione.com/2016/05/edgerouter-lite-openvpn-setup/

 

Attachment

Accepted Solutions
Highlighted
Member
Posts: 149
Registered: ‎01-23-2017
Kudos: 28
Solutions: 6

Re: ERX OpenVPN can't connect to LAN from remote client.

Oh FFS, i figured it out. 

Had to start the openVPN GUI in windows 10 with admin rights. 

 

I have openVPN set to start automatically at start up, but apparenlty that wasn't enough.

Starting it up with admin rights flushed the dns and arp cache properly and added the routes to windows properly too. 

 

All I had to do was check the darn openVPN logs. 

 

For more info I'm running this on windows 10 x64 Home. 

It'll be easier to setup for windows 10 pro since I can give the proper rights to the user without giving them full admin rights.

I'll keep looking for a solution there but as of now the issue is not an Edgerouter Issue. 

View solution in original post


All Replies
Member
Posts: 149
Registered: ‎01-23-2017
Kudos: 28
Solutions: 6

Re: ERX OpenVPN can't connect to LAN from remote client.

Here's the client ovpn file, wouldn't let me attach it above.

 

pull
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1191
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
redirect-gateway def1
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client.pem
key client-decrypted.key
Established Member
Posts: 1,907
Registered: ‎03-02-2016
Kudos: 465
Solutions: 146

Re: ERX OpenVPN can't connect to LAN from remote client.

It looks fine. What happens when you connect to VPN and try to ping the router's LAN IP? How about pinging an IP on the router's LAN? How about a traceroute?

 

What is the output of

 

ps -ef | grep openvpn

How about (assuming vtun0 is your OpenVPN interface) when the client is connected

 

sudo more /var/run/openvpn/status/vtun0.status
Member
Posts: 149
Registered: ‎01-23-2017
Kudos: 28
Solutions: 6

Re: ERX OpenVPN can't connect to LAN from remote client.

When I try to connect to the VPN it makes a successfull connection, I get an IP in the sub 192.168.100.x which is what I have openVPN set to push. 

 

I have openVPN set to push the route to 192.168.2.0/24 which is the subnet of the LAN on the ERX. 

If I ping 192.168.2.1 I get request time outs. 

If i ping 192.168.2.15, the server I want to RDP into also get request time outs. 

 

 

Output of ps -ef | grep openvpn (I changed the name of the domain in the paste below)

admin    10859 10841  0 10:44 pts/0    00:00:00 /bin/busybox grep openvpn
nobody   23811     1  0 May17 ?        00:00:04 /usr/sbin/openvpn --daemon --verb 3 --writepid /var/run/openvpn-vtun0.pid --status /var/run/openvpn/status/vtun0.status 30 --dev-type tun --dev vtun0 --mode server --tls-server --topology subnet --keepalive 10 60 --lport 1191 --proto udp --cipher aes-256-cbc --auth sha256 --ca /config/auth/cacert.pem --cert /config/auth/host.pem --key /config/auth/host-decrypted.key --dh /config/auth/dh2048.pem --management /tmp/openvpn-mgmt-intf unix --push dhcp-option DNS 192.168.2.1 --push route 192.168.2.0 255.255.255.0 --push dhcp-option DOMAIN CONTOSCO.LOCAL --max-clients 3 --server 192.168.100.0 255.255.255.0 --client-config-dir /var/run/openvpn/ccd/vtun0 --persist-key --persist-tun --keepalive 10 120 --user nobody --group nogroup --push redirect-gateway def1 bypass-dhcp

Yes vtun0 is the openVPN interface, the output of 'more' is: (I've hidden the WAN IPs)

OpenVPN CLIENT LIST
Updated,Fri May 18 10:52:14 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Sandy,XXX.XXX.XXX.XXX:64808,77955,9498,Fri May 18 10:41:35 2018
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.100.2,Sandy,XXX.XXX.XXX.XXX:64808,Fri May 18 10:41:36 2018
GLOBAL STATS
Max bcast/mcast queue length,0
END

The location of the computer I'm using to test the VPN connection is also behind an EdgeRouter. I double checked the firewall rules on there. I have rules for dropping proxies, but even after disabling those I can't ping the LAN on the ERX running openVPN. 

Highlighted
Member
Posts: 149
Registered: ‎01-23-2017
Kudos: 28
Solutions: 6

Re: ERX OpenVPN can't connect to LAN from remote client.

Oh FFS, i figured it out. 

Had to start the openVPN GUI in windows 10 with admin rights. 

 

I have openVPN set to start automatically at start up, but apparenlty that wasn't enough.

Starting it up with admin rights flushed the dns and arp cache properly and added the routes to windows properly too. 

 

All I had to do was check the darn openVPN logs. 

 

For more info I'm running this on windows 10 x64 Home. 

It'll be easier to setup for windows 10 pro since I can give the proper rights to the user without giving them full admin rights.

I'll keep looking for a solution there but as of now the issue is not an Edgerouter Issue.