[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

How to reach PC's after OpenVPN Net

Hi,

I have a remote connection using OpenVPN.
My network is like this:
One PC should work as VPN Server, local IP is 192.168.2.2  and as you can see in the seetings VPN IP is 10.8.0.1 .
So when the client connect to the server antything is fine for this connection.
I can ping 10.8.0.1 and also 192.168.2.2 - both IPs of the server.
The remote client get the IP 10.8.0.10 and is also reachable by the VPN Server.

My problem is that I need also access an other PC in the 192.168.2.x net and don't know how to do this.
The command - push "route 192.168.2.0 255.255.255.0" - seems only to work for the VPN Server but not for the clients behind.

What are the right configs for?

Thanks

Andre
port 4700
proto udp
dev tun
ca "E:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "E:\\Programme\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "E:\\Programme\\OpenVPN\\easy-rsa\\keys\\server.key"  # This file should be kept secret
dh "E:\\Programme\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Open in new window

0
andre72
Asked:
andre72
  • 7
  • 6
1 Solution
 
QlemoC++ DeveloperCommented:
The push is necessary. But all PCs to reach, located in 192.168.2.0/24 network, have to know about the VPN server being responsible for 10.8.0.x/24. Hence, that server needs to be either the default gateway, or that route has to be added to each client, or to the default gateway (preferred). You need
route -p add 10.8.0.0 mask 255.255.255.0 192.168.2.2
Since you can reach 192.168.2.2, I do not think you need to enable routing on the server (Routing and RAS is running already probably).
0
 
andre72Author Commented:
Thanks Qlemo I thinks I understand what you need at all.

The default geateway is a router - 192.168.2.1 ...

But where I've to execute the command route -p add 10.8.0.0 mask 255.255.255.0 192.168.2.2 ?
At the VPN Server, the VPN Client or the LAN Clients?
0
 
QlemoC++ DeveloperCommented:
"[...] or that route has to be added to each client, or to the default gateway (preferred)".

That route command is for usage on each 192.168.2.0/24 PC (LAN clients). A similar comment can be used instead on 192.168.2.1 (which is not the server), the syntax will be different, depending on what brand that device is.


0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
andre72Author Commented:
I tried it on a LAN client (192.168.2.4) and route print reports OK:
Target      Mask                   Gateway      IP
10.8.0.0 - 255.255.255.0 - 192.168.2.2 -192.168.2.4

But as before VPN Client (10.8.0.10) can't reach 192.168.2.4 ....
Or did I missunderstand you?
0
 
QlemoC++ DeveloperCommented:
Did you enable Routing on 192.168.2.2? You can see the necessary steps in Article 350, under "Configuration"; only the first code snippet is needed.
0
 
andre72Author Commented:
I tried it but I get an error at the last line:

net start RemoteAccess reports an error 1058: service is unavailable
0
 
andre72Author Commented:
Something else ... Won't bridging from VPN->LAN an easier solution?
I'm a novice with networking like this ...
0
 
QlemoC++ DeveloperCommented:
Depending on the OS version, the service can be called "Routing and RAS" instead.

Yes, bridging would be easier, as you would have "transparent" IPs, that is IP addresses of the LAN network (instead of an own network). This feature is not available that long now with OpenVPN 2.1 on Windows, previously it worked only on *nix. I must admit I wanted to try that for very long now, but had no time yet.
0
 
andre72Author Commented:
My VPN Server has Windows Pro and the VPN Client too. The LAN Clients are using Vista.

So what ever will work with this to connect ot the LAN clients I would agree with.
Also let the LAN clients connect to the VPN Server using OpenVPN would be ok.
I mean:
Remote VPN (10.8.0.10) <-> VPN Server (10.8.0.1) <-> One LAN Client using also OpenVPN (10.8.0.11)

As long as 10.8.0.10 will be able to connect 10.8.0.11 ....
0
 
QlemoC++ DeveloperCommented:
"Windows Pro" = XP, I suppose? Open the Service applet, and see if the service is called RemoteAccess (by opening the property of the service called similar), and whether it is not disabled.

Connecting one or two LAN clients via OpenVPN would be possible, but oversized and introducing some difficulties (e.g. the push route should not be done). I would not recommend that.
0
 
andre72Author Commented:
You'd been right about the RemoteAccess Service it was disabled.
Now is still working but also I can only access the server and no pc from the LAN ...
0
 
QlemoC++ DeveloperCommented:
Have you checked the local firewalls of the LAN clients? Ingress connections will have the 10.8.0.x addresses, and might be filtered by Windows Firewall.
0
 
andre72Author Commented:
Thanks for your support! You'd been right - the Firewall was the last problem. Very good step by step explaining. Thanks!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now