Access LAN from VPN as client

Technical Support for Routers VPN, DNS, Leaks
1

Hi -

Has anyone figured out how to be able to route to the LAN IP addresses with the VPN acting as the client? I have a Slate AX (GL-AXT1800) connected as a client via OpenVPN. I would like to be able to access the LAN IP addresses of the Slate AX from the VPN. VPN is set up as Global Proxy (all traffic goes through VPN) and Allow Remote Access LAN is enabled. I cannot get anything to route down the tunnel when masquerade is disabled. As long as masquerade is enabled I can reach everything on the VPN server from the client. But cannot reach the LAN IPs from the server. I have routes on the server pointed towards the Slate AX VPN IP, but no joy… Curious if anyone has figured this out?

2

Step 1:
open client’s Allow Remote Access LAN

Step 2:
add a Route Rule on server

ps:
192.168.8.0/24 client’s lan ip
10.8.0.2 client vpn ip

image
image1172×462 14.5 KB

Step 3:
add iroute on server

diff  /lib/netifd/proto/ovpnserver.sh
@@ -186,6 +186,7 @@ proto_ovpnserver_setup() {
                --writepid "/var/run/ovpnserver-${interface}.pid" \
                --script-security 2 \
                --config "${ovpn_cfg}" \
+               --client-config-dir "/etc/openvpn/client_config_dir" \
                --up "/etc/openvpn/scripts/ovpnserver-up $interface" 
                #--pull-filter ignore ifconfig-ipv6 \
                #--pull-filter ignore route-ipv6 

mkdir /etc/openvpn/client_config_dir
echo "iroute 192.168.8.0 255.255.255.0" > /etc/openvpn/client_config_dir/DEFAULT
3

Its not clear to me what Step 3 is… Is Step 3 assuming that the AXT1800 is the OpenVPN server? For clarity (if needed) the At1800 is a client on an already established OpenVPN server. The routes have already been added to the OpenVPN server. I do not see any traffic on the VPN when Masquerading is disabled. I was expecting to see the IPs of the 192.168.8.x subnet when disabling NAT… Even with adding the route like you show in Step 2, I see no 192.168.8.x IPs show up on the server’s interface. Nor do I see the local subnet IPs being routed to the VPN when performing a tcpdump on the AXt1800… VPN works fine with Masquerading on… I’m missing something as I’m about to replace this with a RPi… So much easier to work with, IMHO…

4

Openvpn server needs to add iroute, if the server is no on a glinet device, you should find a way to do that.

You can follow this link to learn what is iroute

image
image1581×187 15.7 KB

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

5

Hi!
I continue this topic with my request because with the considerations above I have solved the 50% of my issue: thank you @dxf.
My configuration is composed as for the attached picture. The goal consists in reaching the IP Camera in the OpenVPN client’s LAN from another client (for example by a smartphone).
I have followed all the steps described by @dxf (replacing obviously the LAN client’s ip address with 192.168.20.0) and now I’m able to access to the IP camera with my laptop connected directly to the OpenVPN server.
I’ve read the official guide of the OpenVPN community where are explained all the steps to configure the client’s LAN access between clients. The procedure is similar/equivalent to the @dxf’s, I have only added also the statement --push “route 192.168.20.0 255.255.255.0” under --client-config-dir “/etc/openvpn/client_config_dir” \in the /lib/netifd/proto/ovpnserver.sh file.
Client-to-client switch is turned-on in the GL-MT300N-V2 Server OpenVPN.
Allow access to LAN is turned on in the GL-MT300N-V2 OpenVPN client.
When I enable the OpenVPN client in my smartphone and I type the OpenVPN IP address 10.8.0.2 in the web browser, I’m able to access to the main page of the GL-MT300N-V2 client. 192.168.20.x IP addresseses are instead not reachable.
Probably I have only to configure correctly the additional route in the server, but due to my little experience/knowledge I’m not understanding in which way to proceed.
Thank you in advance for the (possible) suggestions!

OpenVPN
OpenVPN1920×1080 182 KB

6

  1. On the basis of Access LAN from VPN as client

  2. Change Authentication Mode to Username/Password and Certificate , enable client to client and then apply and export a camera.ovpn

    image
    image1262×795 32.4 KB

    image
    image811×375 9.26 KB

  3. Add a camera Username/password

    image
    image1072×338 11.3 KB

  4. mv /etc/openvpn/client_config_dir/DEFAULT /etc/openvpn/client_config_dir/camera

    image
    image1037×81 2.62 KB

  5. camera use camera.ovpn to connect ovpn server, and then smartphone can access camera

1 Like
7

Hi @dxf,
thank you for your reply.
I’m really sorry but I don’t understand why I have to change the Authentication Mode…
Anyway I have applied your suggestions but without success… the LAN side of the GL-MT300N-V2 client where the IP Camera is connected is still only reachable from the server… not by the Smartphone Client.
When the OpenVPN application is enabled in my smartphone, all the traffic is routed through OpenVPN: am I right? If yes, when I try to access to the IP 192.168.20.2, request is sent to the OpenVPN server: why it doesn’t re-route the request to the other client following the pre-programmed route roule?
Also the IP address 192.168.20.1 (GL-MT300N-V2 client’s LAN IP) is not reachable from my smartphone, only from server. Instead if I type 10.8.0.2 IP address in my Smartphone, the welcome page of the other client is shown correctly.
Thank you!

8

Because all clients need to be notified that iroute 192.168.20.0 is a camera subnet.
Therefore, the /etc/openvpn/client_config_dir/camera must be bound to the camera ovpnclient (mt300n-v2), so the file name must be the same as the username of the ovpnclient.

In my environment, it works;

Please try this step again and write out the steps

9

Hi @dxf,
thank you for the clarification.
The same file camera.ovpn must to be imported in the MT300N-V2 client and Smartphone Client app: am I right?
Thank you!

10

no, camera.ovpn can only be imported on careme’s gateway

image
image1376×771 154 KB

11

Ok, but in my Smartphone which client.ovpn file I have to import? I have to add another user in the server with username and password? Following your instruction the DEFAULT file create in origin is removed and replaced by camera. Exporting the client configuration with the GL-MT300N-V2 gui I obtain - obviously - a unique file. Please explain me step by step how to create the Smartphone client configuration.
Thank you in advance for the support!

12

Ok, solved, I will share my configuration shortly… hoping that it will be helpful for the community :+1:t2:

13

Hi All,
below steps that I have followed to obtain a full-working Client to Client LAN access in my system.

OpenVPN
OpenVPN1920×1080 182 KB

  1. I have created a server OpenVPN using Username/Password and Certificate as Authentication Mode.

    Sito 01
    Sito 011302×924 89 KB

  2. I have added two users with credentials.

    Sito 03
    Sito 031302×924 85.5 KB

  3. Access to the server by WinSCP.

    Sito 04
    Sito 041080×699 151 KB

  4. Navigate to /lib/netifd/proto/.

    Sito 05
    Sito 051080×693 238 KB

  5. Open ovpnserver.sh and add *–client-config-dir “etc/openvpn/client_config_dir” * under *–config “${ovpn_cfg}” *.

    Sito 06
    Sito 061080×660 139 KB

  6. Navigate to /etc/openvpn and create the client_config_dir folder.

    Sito 07
    Sito 071077×696 172 KB

7.Inside the folder I’ve created two files: camera and smartphone

Sito 08
Sito 081078×684 176 KB

  1. Inside camera file I’ve typed the following statements:
    iroute 192.168.20.0 255.255.255.0 (routing rule to the LAN side of the client)
    ifconfig-push 10.8.0.2 255.255.255.0 (static IP address assignement to the client)

    Sito 09
    Sito 091080×493 37.6 KB

  2. Inside smartphone file I’ve assigned only the static IP address.

    Sito 10
    Sito 101080×493 32.4 KB

  3. I’ve then started the OpenVPN server and added route rule.

    Sito 11
    Sito 111302×924 97.7 KB

    Sito 12
    Sito 121206×759 56.3 KB

  4. Now we are ready to export client OpenVPN configuration file.

    Sito 13
    Sito 131302×921 89.7 KB

  5. Move to the OpenVPN client where is connected the IP camera and click on + Add Manually button

    Sito 14
    Sito 141302×924 89.5 KB

  6. Drag ‘n’ drop the configuration file.

    Sito 15
    Sito 151611×924 136 KB

  7. Fill credentials for camera client.

    Sito 16
    Sito 161302×924 106 KB

  8. Start OpenVPN client.

    Sito 17
    Sito 171302×924 81.8 KB

  9. Select VPN Dashboard and click on the Options icon.

    Sito 18
    Sito 181302×924 100 KB

  10. Enable the Allow Remote Access LAN functionality.
    Sito 19

  11. Save the client configuration file in your smartphone and then open the OpenVPN Connect app:
    touch BROWSE and import the file.

    Sito 20
    Sito 20405×690 30.1 KB

  12. Fill credentials for smartphone client and touch on CONNECT.

    Sito 21
    Sito 21405×687 24.7 KB

  13. End

I hope that this guide will be useful for newbe like me :slightly_smiling_face:
Thank you @dxf for the support! :clap:t2:

2 Likes