How to ensure that L2TP VPN clients of the server to which the router is connected can access the network behind the router?

A

Aram Pakhchanian2019-08-10 18:51:44

VPN

Aram Pakhchanian, 2019-08-10 18:51:44

The task is the most standard: to make convenient access to the home network, which is connected to the Internet through a mobile operator. You have to look at the surveillance cameras, sometimes get some file, etc. There is no task to have a "white address" for Internet access yet.
What I have:
1. VPS on Ubuntu 18.
2. Mikrotik router with support for 4G modems (hAP AC lite), everything is connected, there is Internet, through NAT, of course. Internal network 192.168.1.0/24, router address 192.168.1.1.
What I have already done:
1. Installed an encrypted IPSEC/L2TP server on the VPS. To do this, I used a ready-made script, which worked great. The server creates an address pool 192.168.42.x for VPS clients (starting from .100), the server address in each point-to-point connection is 192.168.42.1.
2. Set up a connection to this server on Microtik. Everything is connected, everything works.
3. On Microtik, I created a route to the network 192.168.42/24 via IP>Routes, specifying the VPN connection as the Gateway ppp.
4. On Ubuntu, after connecting, I add the route manually:
ip route add 192.168.1.0/24 via 192.168.42.1
After that, the situation is as follows:
- the server itself sees both the router and the computers behind it. From the server console, all devices are pinged, all can be connected.
- Other computers connected to the same server via VPN only see the router at 192.168.42.100 from the devices. All other computers within the network are unavailable.
- I tried to set a route to the network 192.168.1.x on a computer connected via VPN to the server, it does not help (ip route add 192.168.1.0/24 via 192.168.42.1). Replacing the gateway address with the other end of my connection (192.168.42.102) didn't help either. traceroute stops at 192.168.41.1 and goes no further.
From inside the network, the address 192.168.42.100 is pinged, but other devices connected to the VPN are not visible. There is a suspicion that some rules should be added to iptables on the server, but I have not yet figured out how.
What can you try to do to make it work?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

ru6ak, 2019-08-10
@aram_pakhchanian

If I understand everything correctly. You are not writing the route correctly in ubuntu.
192.168.42.1 is the address of the vpn server, it doesn’t know anything about the network behind mikrotik.
You need to register the mikrotik address for the network 192,168,1.0 as the gateway on ubuntu and not the address of the VPN server
ip route add 192.168.1.0/24 via mikrotik address.
As for IPtables or ufw, try turning them off (I don’t know what exactly you are using)
It would also be nice to know what the script does (to be honest with me), it’s quite possible that it specifically restricts the network for clients, then you need to edit the script.
Sometimes it's better to raise the service yourself than to trust a script whose functionality is not clear.
Moreover, it’s not so difficult to raise a VPN, usually it’s a couple of configs to set up.

A

Aram Pakhchanian, 2019-08-13
@aram_pakhchanian

In general, the problem was in the confusing iptables rules. Deleted, wrote simple rules with pens and it all worked.