Forums

Resolved
0 votes
Hello all,

I am having some issues with the OpenVPN implementation:

I am able to connect from externally to the OpenVPN, I am able to ping the clearOS server (192.168.1.100), but am unable to interact with any other hosts (ie 192.168.1.101)
I have had to force the client to connect TCP as my ISP does strange things to UDP packets.

I have attempted to push a route to 192.168.1.0 but that doesn't seem to have worked either.
The client is not the issue as I created my own OpenVPN config on a standalone computer and it worked perfectly.

Any suggestions would be greatly appreciated! :) Thank you.
Saturday, July 01 2017, 09:58 AM
Share this post:

Accepted Answer

Monday, July 03 2017, 02:44 PM - #Permalink
Resolved
0 votes
No worries, I found the problem.

I had to adjust the DNS and WINS entries in clients*.conf to

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"

and

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.10.1"
push "dhcp-option WINS 10.8.10.1"

respectively.

All sorted! Thank you for your help! :) (Can I buy you a coffee?)
The reply is currently minimized Show
Responses (7)
  • Accepted Answer

    Monday, July 03 2017, 07:27 PM - #Permalink
    Resolved
    0 votes
    I've done some more testing. Using the ClearOS LAN IP or the OpenVPN LAN IP makes no difference to DNS and browsing the network. The main issue is the Windoze firewall which, by default, blocks anything coming from outside the LAN. This includes OpenVPN. Adding the ClearOS firewall rules sidesteps the issue as it makes all traffic appear to come from the ClearOS server. The other thing to do is configure the Windoze to allow traffic in from various subnets (the Scope tab in the advanced firewall settings).
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 03 2017, 03:03 PM - #Permalink
    Resolved
    0 votes
    Posts crossed. I'll give your settings a go when I'm home.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 03 2017, 03:01 PM - #Permalink
    Resolved
    0 votes
    In the standard set up with ClearOS as a gateway you should not need the two firewall rules, unless your LAN devices block incoming traffic not coming from the LAN subnet. This can happen with the Windoze firewall, but is not too common.

    For me I push the domain and name resolution by DNS works (but for some reason is much slower if you don't specify the domain name). I think I have some devices which work and some which don't. It is not client specific so very odd. WINS does not seem to work even with any tweaks I do to Samba. By not work I mean I cannot resolve from my LAN devices connected to OpenVPN. I am not sure that things like My Network Places/Neighbourhood work on remote PC's works either but I can't remember and have little need for it.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 03 2017, 01:25 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I reconfigured my box completely, allowing vmware to do a passthrough to one of my NICs, which is now connected to my fibre modem - WAN IP - ok.
    Configured ClearOS to be in gateway mode - all clients have internet again.
    Added rules:
    iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    iptables -t nat -I POSTROUTING -s 10.8.10.0/24 -j MASQUERADE
    iptables-save

    Remote access to internal IPs now works! Thank you! :D

    Only thing that doen't work still is internal host name resolution -
    DNS DHCP and WINS are all set to
    192.168.1.100

    Have I configured something incorrectly?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, July 01 2017, 07:31 PM - #Permalink
    Resolved
    1 votes
    The POSTROUTING rule should be something like:
    $IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    for the custom firewall module and
    iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    from the command line. 10.8.0.0/24 should be the subnet that OpenVPN is using. Can you also check that /proc/sys/net/ipv4/ip_forward is set to 1?

    It would probably be more normal to add a route in your gateway if you can to redirect anything to 10.8.0.0/24 via 192.168.1.100 rather than try to NAT the incoming packets, but I'd have thought both would work.

    Also note that if you want to use OpenVPN form a number of locations, the LAN subnets 192.168.0.0/24 and 192.168.1.0/24 are not a good idea.

    If you make ClearOS a gateway remember not to connect both the LAN and WAN to the same physical subnet, and make sure the LAN and WAN subnets are different.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, July 01 2017, 04:44 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thanks for the reply.
    Indeed it is running in standalone, although I have just purchased some extra patch cables to configure in gateway mode if this is better supported.

    I attempted the POSTROUTING entry in iptables to no avail.
    If I now configure (monday) in gateway mode will this resolve my issue?

    Many thanks
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, July 01 2017, 04:37 PM - #Permalink
    Resolved
    0 votes
    Is your server in standalone mode? If so you will need some static routes either on your gateway or on the individual devices you are trying to connect to. Alternatively you'd need to NAT the incoming packets in ClearOS so that they appear to come from 192.168.1.100 for the rest of your LAN.
    The reply is currently minimized Show
Your Reply