Access LAN from VPN as client

Hi -

Has anyone figured out how to be able to route to the LAN IP addresses with the VPN acting as the client? I have a Slate AX (GL-AXT1800) connected as a client via OpenVPN. I would like to be able to access the LAN IP addresses of the Slate AX from the VPN. VPN is set up as Global Proxy (all traffic goes through VPN) and Allow Remote Access LAN is enabled. I cannot get anything to route down the tunnel when masquerade is disabled. As long as masquerade is enabled I can reach everything on the VPN server from the client. But cannot reach the LAN IPs from the server. I have routes on the server pointed towards the Slate AX VPN IP, but no joy… Curious if anyone has figured this out?

Step 1:
open client’s Allow Remote Access LAN

Step 2:
add a Route Rule on server

ps:
192.168.8.0/24 client’s lan ip
10.8.0.2 client vpn ip

Step 3:
add iroute on server

diff  /lib/netifd/proto/ovpnserver.sh
@@ -186,6 +186,7 @@ proto_ovpnserver_setup() {
                --writepid "/var/run/ovpnserver-${interface}.pid" \
                --script-security 2 \
                --config "${ovpn_cfg}" \
+               --client-config-dir "/etc/openvpn/client_config_dir" \
                --up "/etc/openvpn/scripts/ovpnserver-up $interface" 
                #--pull-filter ignore ifconfig-ipv6 \
                #--pull-filter ignore route-ipv6 

mkdir /etc/openvpn/client_config_dir
echo "iroute 192.168.8.0 255.255.255.0" > /etc/openvpn/client_config_dir/DEFAULT

Its not clear to me what Step 3 is… Is Step 3 assuming that the AXT1800 is the OpenVPN server? For clarity (if needed) the At1800 is a client on an already established OpenVPN server. The routes have already been added to the OpenVPN server. I do not see any traffic on the VPN when Masquerading is disabled. I was expecting to see the IPs of the 192.168.8.x subnet when disabling NAT… Even with adding the route like you show in Step 2, I see no 192.168.8.x IPs show up on the server’s interface. Nor do I see the local subnet IPs being routed to the VPN when performing a tcpdump on the AXt1800… VPN works fine with Masquerading on… I’m missing something as I’m about to replace this with a RPi… So much easier to work with, IMHO…

Openvpn server needs to add iroute, if the server is no on a glinet device, you should find a way to do that.

You can follow this link to learn what is iroute

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Hi!
I continue this topic with my request because with the considerations above I have solved the 50% of my issue: thank you @dengxinfa.
My configuration is composed as for the attached picture. The goal consists in reaching the IP Camera in the OpenVPN client’s LAN from another client (for example by a smartphone).
I have followed all the steps described by @dengxinfa (replacing obviously the LAN client’s ip address with 192.168.20.0) and now I’m able to access to the IP camera with my laptop connected directly to the OpenVPN server.
I’ve read the official guide of the OpenVPN community where are explained all the steps to configure the client’s LAN access between clients. The procedure is similar/equivalent to the @dengxinfa’s, I have only added also the statement --push “route 192.168.20.0 255.255.255.0” under --client-config-dir “/etc/openvpn/client_config_dir” \in the /lib/netifd/proto/ovpnserver.sh file.
Client-to-client switch is turned-on in the GL-MT300N-V2 Server OpenVPN.
Allow access to LAN is turned on in the GL-MT300N-V2 OpenVPN client.
When I enable the OpenVPN client in my smartphone and I type the OpenVPN IP address 10.8.0.2 in the web browser, I’m able to access to the main page of the GL-MT300N-V2 client. 192.168.20.x IP addresseses are instead not reachable.
Probably I have only to configure correctly the additional route in the server, but due to my little experience/knowledge I’m not understanding in which way to proceed.
Thank you in advance for the (possible) suggestions!

  1. On the basis of Access LAN from VPN as client

  2. Change Authentication Mode to Username/Password and Certificate , enable client to client and then apply and export a camera.ovpn


  3. Add a camera Username/password

  4. mv /etc/openvpn/client_config_dir/DEFAULT /etc/openvpn/client_config_dir/camera

  5. camera use camera.ovpn to connect ovpn server, and then smartphone can access camera

1 Like

Hi @dengxinfa,
thank you for your reply.
I’m really sorry but I don’t understand why I have to change the Authentication Mode…
Anyway I have applied your suggestions but without success… the LAN side of the GL-MT300N-V2 client where the IP Camera is connected is still only reachable from the server… not by the Smartphone Client.
When the OpenVPN application is enabled in my smartphone, all the traffic is routed through OpenVPN: am I right? If yes, when I try to access to the IP 192.168.20.2, request is sent to the OpenVPN server: why it doesn’t re-route the request to the other client following the pre-programmed route roule?
Also the IP address 192.168.20.1 (GL-MT300N-V2 client’s LAN IP) is not reachable from my smartphone, only from server. Instead if I type 10.8.0.2 IP address in my Smartphone, the welcome page of the other client is shown correctly.
Thank you!

Because all clients need to be notified that iroute 192.168.20.0 is a camera subnet.
Therefore, the /etc/openvpn/client_config_dir/camera must be bound to the camera ovpnclient (mt300n-v2), so the file name must be the same as the username of the ovpnclient.

In my environment, it works;

Please try this step again and write out the steps

Hi @dengxinfa,
thank you for the clarification.
The same file camera.ovpn must to be imported in the MT300N-V2 client and Smartphone Client app: am I right?
Thank you!

no, camera.ovpn can only be imported on careme’s gateway

Ok, but in my Smartphone which client.ovpn file I have to import? I have to add another user in the server with username and password? Following your instruction the DEFAULT file create in origin is removed and replaced by camera. Exporting the client configuration with the GL-MT300N-V2 gui I obtain - obviously - a unique file. Please explain me step by step how to create the Smartphone client configuration.
Thank you in advance for the support!

Ok, solved, I will share my configuration shortly… hoping that it will be helpful for the community :+1:t2:

Hi All,
below steps that I have followed to obtain a full-working Client to Client LAN access in my system.

  1. I have created a server OpenVPN using Username/Password and Certificate as Authentication Mode.

  2. I have added two users with credentials.

  3. Access to the server by WinSCP.

  4. Navigate to /lib/netifd/proto/.

  5. Open ovpnserver.sh and add *–client-config-dir “etc/openvpn/client_config_dir” * under *–config “${ovpn_cfg}” *.

  6. Navigate to /etc/openvpn and create the client_config_dir folder.

7.Inside the folder I’ve created two files: camera and smartphone

  1. Inside camera file I’ve typed the following statements:
    iroute 192.168.20.0 255.255.255.0 (routing rule to the LAN side of the client)
    ifconfig-push 10.8.0.2 255.255.255.0 (static IP address assignement to the client)

  2. Inside smartphone file I’ve assigned only the static IP address.

  3. I’ve then started the OpenVPN server and added route rule.


  4. Now we are ready to export client OpenVPN configuration file.

  5. Move to the OpenVPN client where is connected the IP camera and click on + Add Manually button

  6. Drag ‘n’ drop the configuration file.

  7. Fill credentials for camera client.

  8. Start OpenVPN client.

  9. Select VPN Dashboard and click on the Options icon.

  10. Enable the Allow Remote Access LAN functionality.
    Sito 19

  11. Save the client configuration file in your smartphone and then open the OpenVPN Connect app:
    touch BROWSE and import the file.

  12. Fill credentials for smartphone client and touch on CONNECT.

  13. End

I hope that this guide will be useful for newbe like me :slightly_smiling_face:
Thank you @dengxinfa for the support! :clap:t2:

2 Likes