R
R
Ruslan Saveliev2015-07-28 14:59:15
openvpn
Ruslan Saveliev, 2015-07-28 14:59:15

VPN routing to the local network, what and where to register the route?

There is a task to give access to the terminal server from the outside, I do not want to leave it open!
The best solution comes up with an OpenVPN tunnel.
I set it up very simply, everything is on Windows.
60ad5942ce7d4d39abb3d4ad716d7b68.PNG
server config:

dev tun
proto tcp
port 443
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
topology subnet
server
10.8.0.0
255.255.255.0 "
client-to-client
cipher AES-128-CBC
mssfix
keepalive 10 120
verb 3

Client config:
client
dev tun
proto tcp
remote 46.29.ХХХ.ХХХ 443 #mikrotik
ca ca.crt
cert admin.crt
key admin.key
cipher AES-128-CBC
nobind
persist-key
persist-tun
verb 3

Everything connects and works, but only the RDP server (192.168.0.10) does not ping in any way.
all other machines within the network are accessible from the tunnel without question.
Chpoks probably that the terminal server has a default gateway 192.168.10.1, like the VPN server and the routes are not going correctly?
netstat -rc VPN server:
C:\Users\Administrator>netstat -r
====================================== ===================================
List of interfaces
21...00 ff 2d f8 f6 6c ... ...TAP-Windows Adapter V9
16...ac 16 2d 88 07 c5 ......HP Ethernet 1Gb 4-port 331FLR Adapter #4
14...ac 16 2d 88 07 c4 ...... HP Ethernet 1Gb 4-port 331FLR Adapter #3
1......................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP #2 adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP #3 adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP #4 adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
======================================= ===================================
IPv4 route table
============================================= ============================
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168. 10.20 266
10.8.0.0 255.255.255.0 On-Link 10.8.0.1 276
10.8.0.1 255.255.255.255 On-Link 10.8.0.1 276
10.8.0.255 255.255.255.255 On-Link 10.8.0.1 276
127.0.0.0 255.0.0.0 On-Link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.2555 255.255.255.255 On-Link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-Link 192.168.0.1 276
192.168.0.1 255.255.255.255 On-Link 192.168.0.1 276
192.168.0.10 255.255.255.255 On-Link 192.168. 0.1 21
192.168.0.255 255.255.255.255 On-Link 192.168.0.1 276
192.168.10.0 255.255.255.0 On-Link 192.168.10.20 266
192.168.10.255 255.255.255.255 On-Link 192.168.10.20 266
224.0.0.0 240.0.0.0 On-Link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.1 276
224.0.0.0 240.0.0.0 On-Link 10.8.0.1 276
224.0.0.0 240.0.0.0 On-Link 192.168.10.20 266
255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255
255.255.255.255 255.255.255.255 255.255.255.255 On-Link 192.168. 0.1 276
255.255.255.255 255.255.255.255 On-link 10.8.0.1 276
255.255.255.255 255.255.255.255 On-link 192.168.10.20 266
================== ================================================= ===
Permanent Routes:
Network Address Mask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.10.1 Default
================================================= =========================

and from terminal server:
C:\Users\1C>netstat -r
====================================== ===================================
List of interfaces
12...78 e3 b5 1a 8a 1f ... ...HP NC362i Integrated DP Gigabit Server Adapter #2
10...78 e3 b5 1a 8a 1e ......HP NC362i Integrated DP Gigabit Server Adapter
1............ .............Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP #2 Adapter
14 ...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
================================= =======================================
IPv4 route table
====== ================================================= ===================
Active Routes:
Net Address Net Mask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.10 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255
127.255.255.255 255.255.255.255 On-Link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-Link 192.168.0.10 276
192.168.0.10 255.255.255.255 On-Link 192.168.0.10 276
192.168.0.255 255.255.255.255 On-Link 192.168. 0.10 276
192.168.10.0 255.255.255.0 On-link 192.168.10.10 266
192.168.10.10 255.255.255.255 On-Link 192.168.10.10 266
192.168.10.255 255.255.255.255 On-Link 192.168.10.10 266
224.0.0.0 240.0.0.0 On-Link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-Link 192.168. 10.10 266
224.0.0.0 240.0.0.0 ON-LINK 192.168.0.10 276
255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255
255.255.255.255
255.255.255.255 255.255.255.255 192.168.0.10 276
=========================================== =============================
Permanent routes:
Network Address Mask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.10.1 Default
================================ =========================================

UPD: Clients, essno. have IP 10.8.0.0/24
UPD2: the trace from the client to 192.168.0.10 goes first to 10.8.0.1 and then is lost.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
R
Ruslan Savelyev, 2015-07-28
@rogovogor

And the casket just opened... Windows Firewall was turned off on OVPN SERVER!!!
thanks to all!

M
Max, 2015-07-28
@MaxDukov

IMHO this is it
superfluous. You have already registered the route to the network with the line
or did you mean push "route 192.168. 10.0 255.255.255.0"

A
Andrey Hammer, 2015-07-28
@AndreyHammer

On the terminal server, write the route to 10.8.0.0/24 through 192.168.0.1.
Other machines are accessible via vpn from the client, since they have default so through 192.168.0.1

A
Azazel PW, 2015-07-29
@azazelpw

The client and the server must be different ip
Well, the configs are working.
On the example of connecting two offices.
Server config
port 1194
proto tcp-server
dev tun
mode server
tls-server
client-to-client
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/ server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/cache.txt
client-config-dir ccd
route 192.168.1.0 255.255.255.0
keepalive 10 120
max-clients 30
persist-key
persist-tun
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
status /etc/openvpn/status.log
verb 1
===
/etc/openvpn/cache.txt must contain the ip that the server will issue
client,10.8.0.2 client config
client
proto
tcp
dev tun
remote %ipserver_inner% 1194
tls-client
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/client.crt
key /etc/openvpn/key/client.key
ns-cert-type server
resolv-retry infinite
keepalive 10 120
route 192.168.0.0 255.255.255.0
persist-key
persist-tun
log openvpn.log
status openvpn-status.log
verb 3

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question