OpenVPN Access to home network

mast0r · 2022-06-15T20:54:12.520Z

Hi,

first of all, I hope this is no duplicate topic but I wasn´t able to find some similar thread.

I´m a proud new owner of a GL-MT1300 which I want to use for traveling.
When not at home, I wanto to get access to my home network with OpenVPN which is running on a pfSense firewall. in my home network, multiple services are running but lets say there is a simple webserver.

With the OpenVPN server running on pfSense I´m able to connect to my home network from my mobile or tablet.
So I wanted to have this connection established from the Beryl so I don´t have to enable VPN from every device when traveling as long as they are connected to the Beryl WIFI.

So I created a config file from my OpenVPN server and imported it to the Beryl OpenVPN Client. This works fine and it connects successfully to my OpenVPN server.

But I can´t get access to my local webserver. From the internet traffic I see the VPN connection is used. This has been checked using https://www.whatismyip.com/ where I get the IP address of my hone Internet router. Once the VPN is disconnected I get the IP of my mobile hotspot for instance.

Any idea, why it is not working to get access to the webserver? Even access using the servers IP address doesn´t work so this is not a DNS issue.
Is it required to setup some static routes?
I have done some tests with “Access Local Network” enabled and disabled, Used the Internet Kill Switch and setup VPN Policies. None was working.

For a brief overview I´ve create a simple netowrk diagram where the tablet doesn´t get access to the webserver but the mobile phone does.

VPNNetwork708×422 25.2 KB

Thanks in advance for any help!
BTW I´m running on 3.203 as I was facing the “Wrong Key” bug in 3.211 with my iPhone WIFI hotspot

mast0r · 2022-06-20T19:54:38.890Z

Any ideas?
I´m really lost and tried to describe my issue as clear as possible. Please let me know if any information is missing

wcs2228 · 2022-06-21T01:39:50.842Z

Are you able to reach any other devices at the remote site? You can try ping and tracert to the Webserver, PC and any other devices. Are you able to access the Internet through the VPN tunnel?

Can you post the OpenVPN client config file with the keys removed?

I do not work for and I do not have formal association with GL.iNet

mast0r · 2022-06-21T06:30:14.920Z

Hi,

no not any of my services are reachable (not by ping, port check or whatever). The webserver is just an example.

This is my OpenVPN config:

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
remote vpn.domain.com 1194 udp4
verify-x509-name "vpn.domain.com" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

I don´t expect this issue to be related to my OpenVPN config as it is working well for other devices with the exact same config.

elorimer · 2022-06-21T07:35:37.492Z

A missing piece in your diagram is the WAN connection of the Beryl. The mobile phone is connecting fine over a cell connection, so it has a different path to the internet. You want to check that the path of the WAN side of the Beryl does not traverse any 10.0.200.0 subnet.
You have a PC on 10.0.100.xx, and the webserver on 10.0.200.xx. I’m assuming you can’t ping the PC either?
I don’t have any experience with pfSense, but the OpenVPN server has to build routes to the 100 and 200 subnets. Often routes will be specific to clients, and OpenVPN disambiguates clients based on certs and/or username. If you disconnect the mobile phone and use the mobile phone’s credentials, does it work?
You might look at the server logs related to the phone connection, and to the Beryl connection, and see if something is different.

mast0r · 2022-06-21T07:59:19.540Z

Hi elorimer,

thanks for your thoughts. Please find my answers below:

Does the Beryl WAN matter? It´s supposed to be a travel router so the WAN is always different. For my tests I used my mobile hotspot. Where I have some 172.16.x.x network.
Nothing from my internal network responds to a ping (there are even more subnets available which are not working either)
The OpenVPN routes are all build on the whole IP range/subnet from the OpenVPN clients. I have multiple devices connecting to my OpenVPN server. All of them work fine except the Beryl connection. Also any firewall rule to the subnets is set with the whole OpenVPN subnet.
I did but dont get any logging from the Beryl connection except internet traffic.

elorimer · 2022-06-21T11:42:44.271Z

WAN address: most travel routers get to the internet through other routers with private IP schemes, and you have to be careful about traversing from here to there when the same subnet range is in the mix. That’s why I asked.
2/3. When an OpenVPN client connects, the server gives it an address out of its pool of client addresses, call it something in the 10.8.0.xx range, maybe 10.8.0.4. Then the server builds a route from 10.8.0.4 to the destination subnets: one for your 100.xx net, and one for the 200.xx net. A route built for another client, say 10.8.0.3, won’t work. If you are connecting with the same credentials, the server keeps breaking down and readding the routes depending on which client is sending traffic and its a mess. That’s why I asked about credentials and the different subnets.
For the logs, I meant either the OpenVPN client log or the server log. You should be able to see the connection get negotiated and the routes added.

mast0r · 2022-06-21T13:02:56.185Z

Thanks for the clear explanation.

It´s kind of embarrasing but it´s actually working…

In my network diagram, one major point is missing… The webserver is not directly accessible as I´m using HAProxy on pfSense as a reverse proxy. So due to the firewall rules, the blocked access is on purpose. Thats why the access with IP was not working as the reverse proxy is configured for content switching.
My failure was I was pinging my internet router on 192.168.178.1 but pings to this subnet were blocked. Access of the webserver with the DNS name was not possible due to missing DNS server configuration.
The final issue was a DNS misconfiguration and the lack of configured DNS rebinding exclusions.

So all in all, everything works as expected. Thanks for your effort though!