Getting a LAN IP from OpenVPN

Wastapi · Sep 23, 2019, 6:13 PM

Is there a way to get a 192.168.2.x IP rather than 10.40.30.x Ip when connecting over OpenVPN?

Because configuring all services on all machines on the LAN to accept the 10.40.30.x Ip is pretty cumbersome and tedious.

We have multiple Docker containers, and I can't reach them when I am remotely connecting through Open VPN.

Thanks!

JKnott · Sep 23, 2019, 7:12 PM

@Wastapi

Unless you run the VPN in TAP mode, the remotes cannot be in the same subnet as the LAN. TAP mode is essentially a bridge, rather than routing as tun mode does.

JeGr · Sep 23, 2019, 8:42 PM

There is a possibility to do that with tun, too, but the downside - and thus inpractical for the OP - is, that you do have to create proxy arp entries for any IPs in the same network. See:

https://de.slideshare.net/NetgateUSA/advanced-openvpn-concepts-on-pfsense-24-233-pfsense-hangout-february-2017 (slides 34++)

It's not recommended and you have to use a pretty good regulated internal network for it to use CIDR boundaries. And you need to proxy ARP all IPs in that VPN subnet. Then it "should"(!) be possible,

JKnott · Sep 24, 2019, 5:39 PM

@JeGr said in Getting a LAN IP from OpenVPN:

hat you do have to create proxy arp entries for any IPs in the same network.

The only time I ever used a proxy arp, was when I set up a PPP connection for dial in access to my computer. The remote computer was in the same subnet as the main computer.

JeGr · Sep 24, 2019, 5:39 PM

@JKnott said in Getting a LAN IP from OpenVPN:

@JeGr said in Getting a LAN IP from OpenVPN:

hat you do have to create proxy arp entries for any IPs in the same network.

The only time I ever used a proxy arp, was when I set up a PPP connection for dial in access to my computer. The remote computer was in the same subnet as the main computer.

Yeah something like that and in the late 90s, too. But in this case using proxy arp is understandable as the firewall as a proxy has to announce, that the IPs one would use for VPN dial-in are actually belonging to it (or better, are routed through it) so the answer packets can be routed through to the VPN client. That is only needed if you need to reach IPs in the same subnet as your dialed-in-LAN-IP. We use something similar to get "office" IPs when we connect to our company VPN so we can access all servers and VMs in datacenters like we were in our office on our laptops. That actually works seemless and very easy :)

viragomann · Sep 24, 2019, 6:18 PM

@Wastapi
You can achieve this with a simple outbound NAT rule (masquerading) as well.
Just go to Firewall > NAT > Outbound and activate the hybrid mode if it is still in automatic mode.
Then add a new rule:
Interface: LAN
protocol: TCP (or any if needed)
source: <your OpenVPN tunnel network>
destination: LAN net (or an alias including specific IPs if you want)
translation address: interface address

So packets from an OpenVPN client get the firewalls LAN IP as source when they're going out.

If your OpenVPN server is also used by other clients you may want to configure a CSO for you and set the source in this rule to your IP only. So that rule is applied to your connection only.

Wastapi · Sep 24, 2019, 7:12 PM

Wow! Thanks a lot for your replies, you are HOT! :)

We have turned to TAP with the following configurations and it seems to work so far.

In the Open VPN Server.
1- Device mode: tap – Layer 2 - Tap Mode
2- Bridge DHCP: Checked
3- Bridge Interface: LAN
4- Bridge Router Gateway: Checked
5- Server Bridge DHCP Start: 192.168.1.X
6- Server Bridge DHCP End: 192.168.1.X+10
7- Redirect IPv4 Gateway: Checked

If any of the above creates a security or performance problem, please notify!

Thanks again!

PS: I use Viscosity to connect and have set my DNS server in my connection to the gateway.

Pippin · Sep 24, 2019, 8:14 PM

Please read it carefully:
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

krystm · Sep 27, 2019, 6:03 PM

@viragomann said in Getting a LAN IP from OpenVPN:

@Wastapi
You can achieve this with a simple outbound NAT rule (masquerading) as well.
Just go to Firewall > NAT > Outbound and activate the hybrid mode if it is still in automatic mode.
Then add a new rule:
Interface: LAN
protocol: TCP (or any if needed)
source: <your OpenVPN tunnel network>
destination: LAN net (or an alias including specific IPs if you want)
translation address: interface address

So packets from an OpenVPN client get the firewalls LAN IP as source when they're going out.

If your OpenVPN server is also used by other clients you may want to configure a CSO for you and set the source in this rule to your IP only. So that rule is applied to your connection only.

I came, I made an account ONLY to say THANK YOU! This fixed my issue I have been beating my head into a wall for days trying to route my phone into the vpn and then back out to internet. This made that work. Doing this so I could use my pihole and protect myself from the ads while also having internal access.

THANK YOU SO MUCH!

william333 · Sep 30, 2019, 11:10 AM

A site-to-site arrangement is the place (at least two) distinct systems are associated together utilizing one OpenVPN burrow. In this association model, gadgets in a single system can arrive at gadgets in the other system, and the other way around. The execution of this is, similarly as Access Server is associated with this, generally basic