1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Openvpn port forwarding problem

Discussion in 'Tomato Firmware' started by cobrax2, Apr 18, 2017 at 10:14 AM.

  1. cobrax2

    cobrax2 Reformed Router Member

    Hey guys
    I have a small problem: I had to move my internet connection to a usb stick, it works well, no problem, but the provider doesn't give me a "real" ip address, so i can't host any servers in my network. So my solution was to vpn to the work network which is also behind a tomato router :)
    so the situation is like this:
    home router has behind a few computers with 192.168.10.0 range
    work router has 192.168.0.0 range and fixed external ip
    i set up openvpn client on home router and server on work.
    it connects ok, i can see the work network, but not the other way, i can't remote desktop to any of my home computers.
    and, the biggest problem is that i need the "world" to see a few ports on my home network.
    how can i forward a port from the work ip through the vpn to my home network?
    thank you!
     
  2. eibgrad

    eibgrad Network Guru Member

    In order to initiate connections from the OpenVPN server side of the tunnel, you need to enable the "Manage Client-Specific Options" field on the Advanced tab of the OpenVPN server. There you can specify the local IP network that lies behind the OpenVPN client. You identify that particular OpenVPN client based on its CN (Common Name).

    As far as port forwarding, unless you are forcing all your devices behind the OpenVPN client to use the OpenVPN server as their default gateway (which in this case doesn't seem likely or necessary), all your port forwarding over the WAN (using the GUI) should work just fine.
     
  3. cobrax2

    cobrax2 Reformed Router Member

    sorry i'm not that experienced :)
    i don't understand any of the two explanations :)
    what should i write in the manage specific options? it is already checked, also checked is allow client to client
    still i can't access anything beyond the home router (the home network)
    the more important thing for me is to be able to open a port in a device on this home network to the world over this openvpn connection
    thanks!
     
  4. eibgrad

    eibgrad Network Guru Member

  5. cobrax2

    cobrax2 Reformed Router Member

    sorry, what did you write? i didn't read
    thanks
     
  6. eibgrad

    eibgrad Network Guru Member

    Sorry, I had to make some changes. And I got sidetracked by personal issues (we're in the process of moving).

    I'm assume your working OpenVPN connection is currently using NAT on the OpenVPN client?
     
  7. cobrax2

    cobrax2 Reformed Router Member

  8. cobrax2

    cobrax2 Reformed Router Member

    i could also use tap instead of tun? it seems simpler but it doesnt work at all it fails when adding route options:
    Apr 19 22:29:21 unknown daemon.notice openvpn[6303]: /sbin/route add -net <work external ip> netmask 255.255.255.255 gw <provider internal gw ip>
    Apr 19 22:29:21 unknown daemon.notice openvpn[6303]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.1 (this is the internal ip of the work router)
    Apr 19 22:29:21 unknown daemon.warn openvpn[6303]: ERROR: Linux route add command failed: external program exited with error status: 1
    i should mention that the usb stick at home connects to the provider/internet over pppoe, if it matters
    thanks
     
  9. eibgrad

    eibgrad Network Guru Member

    Let's get site-to-site working first, then deal w/ the port forwarding issues later. I have a feeling if I throw too much at you at once, you'll be overwhelmed.

    If you want to allow connections to be initiated from the local IP network behind the OpenVPN server into the local IP network behind the OpenVPN client (and port forwarding falls into that category), that's called a site-to-site configuration. That requires additional changes because the OpenVPN server has no idea what local IP network(s) resides behind any given OpenVPN client that connects to it.

    When you setup the OpenVPN server, you typically push its local IP network(in this case, 192.168.0.0/24) to the OpenVPN client so it knows what that network is and how to reach it (w/ tomato, this is accomplished by checking the "Push LAN to clients" option on the OpenVPN server, under Advanced).

    Once the OpenVPN client is connected to the OpenVPN server, the client is able to access resources on the 192.168.0.0/24 network. However, nobody on the 192.168.0.0/24 network is able to access resources on the 192.168.10.0/24 network behind the OpenVPN client because at the moment that information has not been presented to the OpenVPN server. That's the purpose of the "Manage Client-Specific Options" section.

    You configure "Manage Client-Specific Options" by adding the local IP network that resides behind the OpenVPN client. Since you can have multiple OpenVPN clients connect to that OpenVPN server, the OpenVPN server needs a way to know which specific OpenVPN client is connecting, and you do that by specifying the CN (Common Name) used on the OpenVPN client's cert (i.e., the common name you chose when using easy-rsa to generate your certs and key files).

    Enable: checked
    Common Name: client (or whatever name you chose w/ easy-rsa)
    Subnet: 192.168.10.0
    Netmask: 255.255.255.0
    Push: unchecked

    When that specific OpenVPN client connects to the OpenVPN server, the server will add that route to its configuration so that devices on the 192.168.0.0/24 network know how to reach the 192.168.10.0/24 network. It's sort of like defining static routes, but in this case those static routes have to be directed at a specific OpenVPN client, since as I said, there could be many OpenVPN clients connecting to that OpenVPN server, all w/ their own unique local IP networks.

    If configured correctly, you should be able to disable NAT on the OpenVPN client and have full connectivity. Clients on either local IP network should be able to access each other.

    Just concentrate on getting that to work, because this must work before port forwarding will work.
     
    Last edited: Apr 19, 2017 at 8:58 PM
  10. eibgrad

    eibgrad Network Guru Member

    P.S. Just noticed your comment about a bridged VPN. You don't want to so this since your local IP network and the remote IP network are different. Instead you need to route between the two different IP networks.
     
  11. cobrax2

    cobrax2 Reformed Router Member

    thank you for your patience. i'm attaching the current configuration, as i modified it like you said. unfortunately it doesnt work, with or without the nat checkbox enabled.
     

    Attached Files:

  12. eibgrad

    eibgrad Network Guru Member

    What specifically does and doesn't work? You should at least be able to access the remote IP network behind the OpenVPN server from local IP network behind the OpenVPN client and have internet access over the VPN when NAT is enabled, just as before. You make it sound as if making these changes broke everything.

    As far as the snapshots, they look correct. You can see the 192.168.10.0/24 route got added to the OpenVPN server's routing table once client 111 got connected.

    Btw, is the OpenVPN server running on the primary router on that side of the connection, or is it a separate device?

    If the OpenVPN server is NOT running on the primary router on that side, but some other device, that means the primary router is not aware of this route we just added. And so the fact we added that route to the OpenVPN server isn't sufficient. We also have to tell the primary router (via a static route) that the 192.168.10.0/24 network is accessible via the LAN ip of the OpenVPN server device.
     
  13. cobrax2

    cobrax2 Reformed Router Member

    the internet on the home network is working. i cannot access any of the devices from the work network from the home network, nor the other way around. lol, didnt say i broke anything, it just still doesnt work :) . i think at some point in the past days i got the home network to access the work network, but i lost that ability at some point, not now.
    both the openvpn client and the server are on tomato routers, directly connected to the internet (home uses a pppoe connection), home R7000, work ac68.
    thank you very much again, i appreciate the advice you are giving me very much
     
  14. eibgrad

    eibgrad Network Guru Member

    "the internet on the home network is working."

    I assume by this you mean you have internet access over the VPN? You just can't access remote devices on the 192.168.0.0/24 network from the 192.168.10.0/24 network? Even w/ NAT enabled?

    Btw, access is a somewhat ambiguous term. Let's be precise. Can you *ping* devices from the home network to the work network (again, w/ NAT enabled)? And I mean using explicit IPs, NOT domain names (e.g., ping 192.168.0.1).
     
  15. cobrax2

    cobrax2 Reformed Router Member

    yes, over the vpn, i get the ip of the work network when i go to whatismyip... so that is ok
    i can ping the gateways for the different networks (ie 192.168.0.1=gw from work network answers to the ping from home network) but nothing beyond them. yes, i mean ips, i have a few computers/devices with static ips
    thanks
     
  16. eibgrad

    eibgrad Network Guru Member

    Well based on that latest description, your VPN is working. If internet access is available over the VPN, and you can ping the gateway, the VPN is working. But if you can't ping any other devices, then most likely that's firewall issues on that side of the connection. Sometimes OSes (esp. the latest versions of Windows) will NOT respond to any network other than its own (at least by default). IOW, devices on the 192.168.0.0/24 network will not respond to other local networks like 192.168.10.0/24 (when NAT is disabled), or the VPN's tunnel network 192.168.27.0/24 (when NAT is enabled) unless you update their personal firewalls. IOW, it's a security issue, NOT a VPN connectivity issue.
     
  17. cobrax2

    cobrax2 Reformed Router Member

    i pinged devices from the same network, and got answers. i also have devices that don't have firewalls, also tried on them, and from the same network they respond to pings.
    anyway, it is not that important to me that i can't access the networks. if we can't do it, no biggie.
    but most important is that i get that port forwarding working. i really need to have a port open on my home network
    thanks
     
  18. cobrax2

    cobrax2 Reformed Router Member

    192.168.27.1 destination unreachable when i ping from home network one device in work network
    27.1 is the gw assigned by openvpn i think
     
  19. eibgrad

    eibgrad Network Guru Member

    I understand accessing the remote network is not that important. But I had to be sure you have basic connectivity before even attempting port forwarding. And you *must* be able to reach the local IP network behind the OpenVPN client from the gateway device on the remote network (i.e., site-to-site). At that point you should be able to port forward from the remote network into any IP address in 192.168.10.0/24 network using the GUI. IOW, it doesn't require anything special. The 192.168.10.0/24 network is now known to the router running the OpenVPN server.
     
  20. cobrax2

    cobrax2 Reformed Router Member

    ok, so now what can i do more?
    thanks
     
  21. eibgrad

    eibgrad Network Guru Member

    Did you try to port forward on the OpenVPN server side using the GUI and an internal/target IP address on the 192.168.10.0/24 network?

    As I said, given the current config, I don't see why it wouldn't work. If the site-to-site config is working, the router on that side should know how to find the 192.168.10.0/24 network over the VPN. And given the OpenVPN client is configured w/ the VPN as its default gateway, the replies should be routed back over the VPN and out that same router.

    At least it's not obvious to me why it wouldn't work. All that's different is that instead of the 192.168.0.0/24 network being the target of the port forward, it's the 192.168.10.0/24 network. And all the routing should be in place to make the 192.168.10.0/24 network accessible.
     
  22. cobrax2

    cobrax2 Reformed Router Member

    no i didn't try to forward, i dont't know how to do it from openvpn
     
  23. eibgrad

    eibgrad Network Guru Member

    You just use the port forwarding feature of the tomato GUI on the router supporting the OpenVPN server, like any other port forward. But the target of the port forward (i.e., the internal IP address of the device you're trying to reach) will be on the 192.168.10.0/24 network, where normally it would be 192.168.0.0/24.
     

Share This Page