Forums

Bret
Bret
Offline
Resolved
0 votes
So, Here is the endeavor

Network layout:
Outside world -- Modem - DMZ--ClearOS 6.5(OpenVPN Server) (Is in gateway mode)

client Network layout:
Outside world -- Modem -- Router(DD-WRT) -- Client
///////////
the client has one of OpenVPN's default Ip ranges (10.8.0.x)
/////////
Is it possible to port forward to the tun in the same way one would port forward to a lan address

in example:
say port 80

On local lan like mine (10.10.10.0/8)
you could just say

starting port:80
ending port:80
ip: 10.10.10.x

HOWEVER
to port forward to an VPN client this method doesn't work

starting port:80
ending port:80
ip: 10.8.0.x
////////////////////////////////////
I am probably just being hopeful for nothing. I just would like to be able to run services from my laptop on-the-go sometimes.
In VPN
Wednesday, February 19 2014, 04:37 AM
Share this post:
Responses (12)
  • Accepted Answer

    Wednesday, February 19 2014, 04:14 PM - #Permalink
    Resolved
    0 votes
    I don't think you can port forward through the tun interface. The easiest thing to do is change the OpenVPN subnet. You can edit the network in /etc/openvpn/clients.conf. Restart OpenVPN afterwards.
    The reply is currently minimized Show
  • Accepted Answer

    Bret
    Bret
    Offline
    Thursday, February 20 2014, 05:54 PM - #Permalink
    Resolved
    0 votes
    What would changing the subnet help? I have the gateway def1 in the client.conf - so I can access smb servers on the lan through the tun.

    Just to clarify a bit more:

    Say I wanted to host a ventrilo server from my laptop on the go(at a hotel) for team collaboration.
    After connecting to the VPN I receive a 10.8.0.x address with a subnet of 255.255.255.0

    So far I have only tried to use that address with the port forwarding app (I am having a busy month)

    Is there a way to configure a port forward from that address to the clearos wan?

    Clearos 6.5
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2014, 06:51 PM - #Permalink
    Resolved
    0 votes
    If you are connecting in from a machine which is already on a 10.8.0.0/24 subnet then you will manage a connection but no traffic will pass if OpenVPN also uses a 10.8.0.0/24 subnet.

    Consider this. Your PC gets an IP 10.8.0.x from its LAN. It gets 10.8.0.y from OpenVPN and it sets a default route to ClearOS. Then you try to send traffic via ClearOS 10.8.0.1. OpenVPN says go down the tunnel. But the tunnel connects through the LAN so the PC tries to route OpenVPN through the LAN, but that is a 10.8.0.0/24 address which you've said to go down the VPN.........
    The reply is currently minimized Show
  • Accepted Answer

    Bret
    Bret
    Offline
    Sunday, February 23 2014, 02:36 AM - #Permalink
    Resolved
    0 votes
    I was misunderstood

    the lan addresses are 10.10.10.x/8
    the vpn addresses are 10.8.0.x/24

    Port fowarding is fine on any of the lan-connected computers with 10.10.10.x

    However the port forward does not route to any 10.8.0.x addresses over the vpn
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 23 2014, 08:51 AM - #Permalink
    Resolved
    0 votes
    10.10.10.x/8 covers the entire range 10.0.0.0 - 10.255.255.255 so 10.8.0.x/24 is included in the lan subnet so you cannot route to it over the VPN. You need to change your OpenVPN subnet to a subnet in 172.16.0.0/12 or 192.168.0.0/16.

    P.S. unless it is a mega corp, whoever runs the 10.0.0.0/8 LAN, using a /8 subnet rather than a subset or it is a bit of a sledgehammer. It allows 16,777,214 IP addresses on the LAN. That is a lot of devices!!
    The reply is currently minimized Show
  • Accepted Answer

    Bret
    Bret
    Offline
    Sunday, March 16 2014, 04:46 PM - #Permalink
    Resolved
    0 votes
    So what do you suggest for my lan subnet?
    Also, what do you suggest to set the openvpn server IP/subnet to.

    I would like to keep 10.x.x.x in the lan
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 16 2014, 05:26 PM - #Permalink
    Resolved
    0 votes
    If you cut down the LAN to a /24 subnet, e.g. 10.11.12.0/24 then you can leave OpenVPN where it is. If you need the whole 10.0.0.0/8 address range for your LAN then move OpenVPN to a subnet somewhere in the 172.16.0.0 - 172.31.255.255 range. Also if you do need the whole 10.0.0.0/8 subnet for your LAN then ClearOS is possiblbly not suitable as a gateway!
    The reply is currently minimized Show
  • Accepted Answer

    Bret
    Bret
    Offline
    Thursday, March 20 2014, 12:56 PM - #Permalink
    Resolved
    0 votes
    So if I move clearos lan to /24.

    Only problem with 172-174.x.x.x is that my ISP uses those addresses for clients.

    Would a 192.x.x.x be suitable?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 20 2014, 01:08 PM - #Permalink
    Resolved
    0 votes
    There are three private IP ranges:
    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

    Anywhere in those ranges would be suitable. If your ISP gives out IP's in the range 172-174.x.x.x it seems to indicate he is giving out public IP's. If that is so, he will not be using the 172.16.0.0/12 range whic is private. Just avoid 192.168.0.0/24, 192.168.1.0/24 and possibly 192.168.2.0/24 and 192.168.100.0/24. Be kind (sensible?) and only pick a /24 subnet if that is all you need. The bigger the subnet you pick the more likely it is that you'll have a clash in your remote location.

    I'd love to know why you need the whole 10.0.0.0/8 subnet for your LAN.
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Wednesday, January 08 2020, 09:45 AM - #Permalink
    Resolved
    0 votes
    :)
    The reply is currently minimized Show
  • Accepted Answer

    Max
    Max
    Offline
    Wednesday, January 08 2020, 09:52 AM - #Permalink
    Resolved
    0 votes
    :D
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 08 2020, 10:20 AM - #Permalink
    Resolved
    0 votes
    A new thread here would have been preferable.

    Note that having a LAN on the 192.168.1.0/24 (or 192.168.0.0/24) subnet is not brilliant for VPN's.

    Your user should be able to contact 192.168.1.101:8082 directly through OpenVPN without any forwarding. Note the traffic will appear from 10.8.0.1 (I think) so the machine at 192.168.1.101 should have its firewall open to that subnet as well. Alternatively check the app documentation to see how to NAT the incoming OpenVPN traffic.

    It is can more complicated by FQDN if you want to force traffic through the VPN instead of externally.
    The reply is currently minimized Show
Your Reply