Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway



  • I am trying to implement a "hub-and-spoke" architecture OpenVPN system where pfSense runs on the edge router at the hub (OpenVPN Server) site, but OpenVPN is running on a LAN computer behind a (non-pfSense) router at the Client sites.

    The remote sites connect OK to the OpenVPN Server but the challenge is how to provide access from the Server's LAN to all of the devices on the Client site LAN and vice versa. At present we can only see the OpenVPN Client PC, not the other LAN devices at the Client site.

    Hub (OpenVPN Server) Site
    The central (Hub) site runs pfSense as the edge router. The OpenVPN Server runs on the pfSense edge router in "Site-to-Site" configuration with SSL/TLS encryption and security.

    • pfSense Router: 2.4.4-RELEASE
      WAN Address = Static IP
      LAN2 Address = 172.31.54.0/24 (used for remote Client Site access)

    • OpenVPN Server Configuration
      IPv4 Tunnel Network = 172.31.55.0/24
      IPv4 Local Network(s) = 172.31.54.0/24, 192.168.1.0/24
      IPv4 Remote network(s) = 10.8.2.0/24
      Inter-client communication = Disabled
      Duplicate Connection = Disabled
      Dynamic IP = Enabled
      Topology = Subnet

    • OpenVPN Client Overrides
      None presently configured for remote Client sites

    Remote OpenVPN Spoke (Client) Sites
    The Client sites each use a 3G/4G wireless edge router which has an internal Ethernet switch on the LAN side. The Router does not offer any OpenVPN capability, and there is no pfSense router available on the site. Therefore the OpenVPN Client is implemented on a Linux PC. Static routes can be added to the Router's routing table but I'd prefer to leave the router configuration (other than the site's LAN address) as standard between the Client sites.

    Taking one of the Client Sites as an example:

    • LAN Network: 10.8.2.0/24 (this is unique to each site)

    • Wireless Router: 3G/4G
      WAN Interface = Carrier-grade NAT, Dynamic IP assigned by ISP
      LAN Interface = 10.8.2.253/24

    • LAN Device 1: Linux PC running OpenVPN Client + application software
      OS = Ubuntu 16.04
      OpenVPN =
      LAN Interface = 10.8.2.1 (Static IP)

    • LAN Device 2 : Embedded controller with web server interface
      LAN Interface = 10.8.2.2 (Static IP)

    • LAN Device 3 : Embedded controller with command line interface (via SSH)
      LAN Interface = 10.8.2.3 (Static IP)

    QUESTIONS

    1. Can I provide the required routing for the Client sites by pushing routes or iroutes from the Open VPN Server? (Given that there could be many Client sites this would obviously be preferable from a management perspective, but I'm not sure whether its technically feasible).
    2. If this is not possible, can we implement masquerading on LAN Device 1 (the PC running the OpenVPN Client)? Again, from a management perspective, it would be preferable to only have to change the configuration on one device rather than modify the iptables and/or routing on all three devices.

    I have recently found this article and "Method 4" appears to be a solution:
    "Accessing LAN resources when OpenVPN is not LAN's GW"
    https://forums.openvpn.net/viewtopic.php?t=9465

    However, having read through it several times, and not having any experience with iptables or masquerading in Linux, I find it somewhat confusing.

    Can someone please clarify whether this is the right approach for the scenario, and if so elaborate on exactly the entries/commands I need to add to the system? Alternatively, if this isn't the right approach, please indicate what needs to be done and the implementation details.

    I



  • Since your problem is that the client is not the default gateway and is in the same subnet as the device you want to access, it can only be solved on the client site.

    @eccles said in Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway:

    If this is not possible, can we implement masquerading on LAN Device 1 (the PC running the OpenVPN Client)? Again, from a management perspective, it would be preferable to only have to change the configuration on one device rather than modify the iptables and/or routing on all three devices.

    Masquerading will be the only one solution which will work by modifying only one device.
    The drawback of that solution is that any access seem to come from PC1. If that doesn't matter, just do it. It's described well on the link you've posted.
    You only have to replace 'local_lan_interface_name' with the name of interface connected to the LAN in the command (e.g. eth0)

    Consider that you have to enable forwarding anyway on that host if you want to access devices behind it.



  • Hi,

    1. On LAN Device 1 you need ip_forward=1

    2a. On Wireless Router you need a route add -net 172.31.55.0 netmask 255.255.255.0 gw 10.8.2.1
    ^preferred^

    OR
    2b. On LAN Device 1 you need iptables -A POSTROUTING -s 172.31.55.0/24 -o eth0 -j MASQUERADE
    Replace eth0 with the physical interface (probably enp1s0)

    On pfSense use CSO Remote Networks for the iroute 10.8.2.0/24

    Edit, viragoman beat me :)



  • Many thanks to both of your for the rapid responses.

    I'll try implementing those suggestions when I get a chance.



  • @pippin said in Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway:

    2a. On Wireless Router you need a route add -net 172.31.55.0 netmask 255.255.255.0 gw 10.8.2.1
    ^preferred^

    That won't work. You will get asymmetric routing issues.

    @pippin said in Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway:

    On pfSense use CSO Remote Networks for the iroute 10.8.2.0/24

    Yes, as your vpn tunnel is a /24, you will also need a CSO.
    However, if the tunnel is for one client only it would be easier to set the mask to /30, so no CSO is needed.



  • @viragomann said in Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway:

    @pippin said in Accessing Client LAN Devices - OpenVPN not implemented on Client Site Gateway:
    That won't work. You will get asymmetric routing issues.

    Yes, I see the asymmetric routing "problem".
    I was always told that the route on router (gateway) is preferred over masquerade.

    For a server behind NAT they give this example which off course could be solved with masquerading too:
    https://community.openvpn.net/openvpn/wiki/RoutedLans
    Diagram:
    https://secure-computing.net/wiki/index.php/Graph



  • Best solution would be to put the vpn vlient into a separate subnet connected to the gateway and set static routes on the gateway and on the client PC for the LANs.
    But I don't know if this is possible on that 3G/4G router.
    Masquerading is the easiest solution, but has its drawback, as mentioned.



  • @viragomann
    Thanks for the further response.

    The 4G Router used at the Client site is either a TL-MR6400 or an Archer MR400. Those routers only have only one LAN port which is connected to an internal 4-port Ethernet Switch.

    Unfortunately, given that scenario, I can't see a way to connect the VPN Client machine on to a separate subnet at the router. Given the number of potential Client sites the cost is significant so changing the router is not really an option.