OpenVPN is a very powerful tool to connect to a remote network in a secure and easy way. But while it’s quite easy to set it up (see my post about OpenVPN on Raspberry Pi), getting all the pieces together takes some more network understanding and configuration. I created an image to show what’s going on when a OpenVPN client connects to the server.
The grey network is the local network you’re connecting to, the green network is created by OpenVPN. After a successful connection, the OpenVPN server can ‘push’ a route to the OpenVPN client to make it aware of the grey network that is available through the OpenVPN connection. In this case you’d add this setting to the OpenVPN server:
push "route 10.5.5.0 255.255.255.0"
Now that the OpenVPN client knows how to find the Linux server on the grey network, it should be working, right? Nope. The Linux server does not know about the green network. So, when a OpenVPN client connects with a 10.8.0.x ip-address, this server does not know where to send the response to. When this happens, the Linux server sends its traffic to the default gateway of the local network: the router of the grey network.
But unfortunately, the router does not know about the green network neither. Since 10.8.0.x is a non-routable address (RFC 1918), it drops the packets because it has no way of knowing where to find this private network. To the OpenVPN client, this may look like there’s something wrong with the VPN connection, because even a simple ping will not work and times out. In reality, this is a routing problem.
The solution? Make the Linux server or at least the router aware of the green network, and tell them where to send traffic to this network. This is done by adding a route like this:
route add -net 10.8.0.0/24 gw 10.5.5.5
Assuming the local network ip-address of the OpenVPN server is 10.5.5.5.
This way the hosts in the grey network know about the green network and send their traffic to the OpenVPN server. Of course the OpenVPN server knows how to reach the OpenVPN client and all is working!
You can extend this further and add routes to the network of the VPN client and make hosts on both networks communicate to each other. This is useful for example to connect a branch-office to the corporate network. I’ll write about this in more detail some other time.
Hopefully this post brings some insight in what goes on when using networks and VPN connections.
Remi Bergsma's blog 
Hi Remi,
I’m trying to solve my OpenVPN issues for one week and it seems that i’m out of luck.
I found your blog with more clear explanations, but I’m still not able to solve my network routing problem.
So, my system look like this:
I am able to connect to my server from client PC, i’m able to ping my vpn server ip 10.8.0.1 and thats it. i’m not able to ping my router, NAS and even get through to internet with my home ip address.
The server configuration is:
local 192.168.1.109
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
push “route 192.168.1.0 255.255.255.0”
Client configuration is:
remote a.b.c.d
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
I have tried to add routing rule in my router, but that didn’t help me.
Router is D-Link 825. I set:
destination IP – 10.8.0.1
netmask – 255.255.255.255
gateway – 192.168.1.109
Also i have tried NAT’ing traffic with command for RasPi:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
But that also didn’t solve my problem.
I feel, that i have missed a small thing that i’m not able to see it…
Regards
Hi Justas,
Can you confirm the OpenVPN client gets its route from the OperVPN server? In other words, when you run ‘route -n’, does it show the 192.168.1.x network?
If that is not the case, that is the problem. If it is listed, then I’d suggest having a look at the routes back to the 10.8.0.x network, like I described in my post. Not just 10.8.0.1, but the whole /24 network (netmask 255.255.255.0). You see, the OpenVPN client has another address in this range and the router should know about the whole network.
Good luck!
It looks like forgot to add picture to my post.
So, here it is: http://s9.postimage.org/pv0eg5a4f/Network_configuration.png
Looks nice!
I see now that you are using windows. In my previous comment, where I said ‘route -n’, try ‘netstat -rn’ instead. That will work on Windows and Mac OSX, even on Linux 😉
Yes, we have a line with 192.168.1.x network in server’s routing table.
To be more sure about my information (because i’m dummy in this area), i have collected routing tables from client pc (green), server Raspi (white) and info about NIC in client’s pc (green again)
I have made several experiments with different settings and what i found:
First of all i have tried to change routing rule in router, like: dest ip – 10.8.0.0 ; netmask – 255.255.255.0 ; gateway – 192.168.1.109. Also this rule is applied to WAN interface in router. I’m not able to select anything else. But this routing rule change didn’t give me any positive visible result.
Secondly, i have enabled masquerade nat’ing. After doing this i was able to ping and explore my local home network devices.
Eventually, i noticed when the client gets connected to vpn sever, it does not get default gateway ip address. Also subnet look weird for me, with an ending of 252 instead of 255, but maybe it is ok. So, i added default gateway for client manually. By doing this windows told me, that this connection now has access to the internet. Hooray!
Even after that last step routing rule in home router does not give any effect when it is on or off.
But now there are a few more things. I need somehow to route all traffic through VPN tunnel. Client PC is using OpenVPN GUI.
And… Ok, I’m still interested about the problem why i was not able to reach network behind RasPi with vpn server. I’d like to see also the same system working normally in the way as you described.
Networking gets more and more interesting 🙂
Regards
Dear Friend,
I have configured Openvpn (slackware13.37) machine, it is working fine, and tested that it is working.
I have configured
1. System1 linux machine for Openvp Client setup and started the service it is running fine
2. System2 linux machine I have configured Openvpn(server ), it is working fine.
The System1 openvpn client & System2 Openvpn server is connected,
I have checked the log and I am able to ping the ping the tun0 openvpn server ip from openvpn client.
And In Openvpn server I am able to ping the openvpn client tun0 IP address.
In openvpn server config file I have added the option for (push “redirect-gateway def1 bypass-dhcp”) . But my openvpn client machine get hunged.
In System1 while run the command
wget -qO- ifconfig.me/ip
it showing System2(openvpn server) IP address. But it show System1 Public IP address
Please help me, how to fix this issue.
By
Mike
Hi Mike,
When you connect the client to the VPN server, how does the routing table look like on the client? Its default gateway should be sent to the VPN server. Have you restarted the OpenVPN server after the config change? Please provide some more info and I’ll have a look!
I read your other post and the explanations from this one (picture is brilliant). I finally understood how this works and what I needed to do in order to make it work.
Thank you!
You’re welcome, thanks for letting me know 🙂
Hi Remi, Thanks for the article, it helps me a lot in understanding it.
However I still have many troubles on the OpenVPN configuration, one of it is like your diagram, on the server side, however what if the client side, which also consists of a private LAN, behind a router just like the source, an openvpn client connected to the source and I want the traffic between the 2 LANs are able to talk to each other like a PC in 10.5.5.0/24 able to browse another PC in the client network , what kind of configuration need to be done in the Client LAN? Thank you very much, if not mistaken its called site-to-site setup?
Glad you like it! What you want should’t be too hard. Just make sure the OpenVPN server is enabled for routing, and that you push the necessary routes to the clients. This is all documented here, so you probably already did this. Keep in mind the openVPN client on the red network, is in fact a router as well. Enable that one for routing, too. If it’s not the default gateway for the clients in this network, you need something to make sure the clients know how to reach the VPN: probably a static route on the default gateway would be easiest.
Also look out for firewalls, you might want to disable them first to get it to work, then enable them again and fine-tune to allow all traffic that is needed.
Have fun with it and if you run into trouble and have an error message please let me know.
Hi, thank you very much for this tutorial.
I can use VPN with the server but I have some problems connecting to other pc in the LAN.
This is my configuration: my VPN client is at my office and I have my home LAN 192.168.1.0/24, my VPN client has tunnel address 10.8.06 and my VPN server 10.8.0.1, internal address 192.168.1.2
here is my VPN server’s routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
default http://www.asusnetwork 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
here is my home router’s routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
213.205.24.67 * 255.255.255.255 UH 0 0 0 WAN
239.255.255.250 * 255.255.255.255 UH 0 0 0 LAN
10.8.0.0 192.168.1.2 255.255.255.0 UG 1 0 0 LAN
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
169.254.0.0 * 255.255.0.0 U 0 0 0 MAN
default 213.205.24.67 0.0.0.0 UG 0 0 0 WAN
routing in VPN server is enabled.
Thank you very much for help.
Bye
You’re welcome, glad you like it!
What happens when you ping a pc in your home network from your VPN client? Do you push the 192.168.1.0/24 route to your clients?
Request timed out. Before inserting routing rules I can connect to vpn server, now I cannot anymore. Same for other pc on LAN.
I pushed route on my client, here is part of my client’s routing table:
Network Destination Netmask Gateway Interface Metric
10.8.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 10.8.0.5 10.8.0.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.8.0.6 286
.255.255.255 255.255.255.255 On-link 127.0.0.1 306
.255.255.255 255.255.255.255 On-link 10.8.0.6 286
thanks bye
Other tests: now I can ping the VPN server, on 192.168.1.2 and 10.8.0.1, from VPN client, but if I push route on VPN server:
route add -net 10.8.0.0/24 gw 192.168.1.2
I cannot ping VPN server anymore, on both 192.168.1.2 and 10.8.0.1
Thanks bye
You should ‘push’ a route to the network behind the OpenVPN server, not the network the OpenVPN server is using internally. What is the network you want to reach?
I want to reach 192.168.1.0/24 network
Then add:
push “route 192.168.1.0 255.255.255.0”
and it will push this route to your VPN clients.
Hi Remi,
Excellent article! I finally understand why my internet on my iphone client isnt working. But I am not sure how to solve the problem unfortunately. My server is setup on Windows 7 laptop. You mentioned how to do the routing on linux but can you tell me how to do it on windows? I am guessing I have to go to the router settings by typing my default gateway (192.168.0.1) on a web browser. Correct? But I am not sure what to do there. I don’t see any option for “Destination IP.”
In case you need my config files:
Server config file:
local 192.168.0.12
port 1723
proto udp
dev tun
ca “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt”
cert “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt”
key “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key”
dh “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem”
server 10.27.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.0.0 255.255.255.0”
push “dhcp-option DNS 64.x.y.z”
push “dhcp-option DNS 64.x.n.m”
push “redirect-gateway def1”
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
Iphone client config file:
tls-client
dev tun
proto udp
remote a.b.c.d 1723
pull
redirect-gateway def1
comp-lzo
ca ca.crt
cert client.crt
key client.key
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
cipher BF-CBC
resolv-retry infinite
Hope you can help me. Thanks!
Hi John,
In case you still need it: This link explains how to add a route in Windows 7: http://www.mydigitallife.info/how-to-add-route-to-tcpip-routing-table-with-windows-routing-and-remote-access-console-or-dos-prompt/
I’m not using Windows at all, so I haven’t tried it myself.
Hi Remi,
Great blog! Makes things really easy to understand..
Kind regards,
Mark Dijsselbloem
Glad you like it, Mark! 🙂
Good post. I learn something totally new and challenging on blogs I stumbleupon
every day. It’s always useful to read through articles from other authors and use something from other web sites.
Thanks for stopping by and great to hear you learned something 🙂 Have a nice day!
Hi,
I was wondering, instead of telling you linux server that the network 10.8.0.0 exist, shouldn’t you use NAT instead ?
Then the packet comming from 10.8.0.0, (for the linux server), will look like they are comming from 10.5.5.5 No ?
That’s how I did it, then I do not have to tel over server how to lookup for 10.8.0.0
Thanks for your feedback. That can be done, yes. The down side of it, is that you cannot see what client connects to your local services. Since they are NATted, they all have the same ip address. So, it depends on how it’s being used.
Ok, I understand what you meant, thx for answering me ^^
Thanks for the nice post. I am able to ping the machines on the server side but not able to ping the machines on the client side. I am using openvpn-as as server.
Need help,
Great post, this helped me a lot. However, don’t you want to add persistent routing so that this will hold after a reboot?
From what I understand you need to create or modify a route file for your interface.
Something like:
echo “10.8.0.0/24 via 10.5.5.5” >> /etc/sysconfig/network-scripts/route-eth1
Hi Peter,
The OpenVPN software does this on (re)connect so also after a reboot. This way, the route is only there when it actually works (i.e. when the OpenVPN connection is active).
Hi Remi, your article just gave me extra thought about what I really want to do with openvpn …. but I can not make it to access hosts from remote network. Could you please help me while I’m also investigating what could be wrong.
Here is my Windows client config file:
client
nobind
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
ca c:\\OVPN\\ca.crt
cert c:\\OVPN\\user.crt
key c:\\OVPN\\user.key
comp-lzo
verb 3
and here is my server configuration:
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
client-to-client
max-clients 10
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.0.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 4
when I connect to OpenVPN server I get 10.8.0.6 IP and server 10.8.0.1 and I can access its apache and so on .. but there is another server with IP: 192.168.0.122 and I can not ping it or access it.
I did as you proposed:
route add -net 10.8.0.0/24 gw 192.168.0.176
didn’t help so I tryed:
route add -net 10.8.0.0/24 gw 10.8.0.1
didn’t help
what should I correct to be able to access that another server on remote network from my vpn-client?
Any thought for my unit? ( http://www.spectra.com/ibm/ibm-systems/16/index.htm ) Thinking of doing these configurations.
Hi I have just got a Raspberry Pi and set up an OpenVPN. With reference to the grey and green networks in the diagram. How can I make this work if instead of a trying to connect to a Linux server on the grey network I want to connect to a Windows client on the grey network from a Windows client on the green network i.e. to remote desktop? E.g. what ip address would be seen for the Windows client on the grey network from the point of view of the Windows client on the green network.
I am having a problem with a vpn PPTP client which is running on a tp link router 841N. The connection is made to a windows2008 server. The thing is that I want to reach devices behind the 841N router. Portforwarding is not gona work because these devices are simmular and uses the same port but have different IP adresses. My idea was some kind of static routing. which routes the trafic from the VPN tunnel through the router and back. But how is this to be setup?
Regards,
Carlo
Hi Remi,
Trust you are doing great 🙂
Great Article!! But I am having an issue with my configuration.
I have a Windows server 2012 R2 configured as an OVPN server and a client machine is Windows 8.1 Pro
My requirement is to connect(basically RDP) to a remote site securely via openVPN.
The remote sub network is 192.168.1.0/24 . I need to RDP in to the following servers
192.168.1.5,192.168.1.6 and 192.168.1.7(these machines are all standalone servers.Not joined to domain.)
When I connect with my OVPN server, my clients get 10.0.8.6 IP. using that I am able to login to the server via RDP and from there, I can remote to any other servers in that network because it has a 192.168.1.0 NIC (192.168.1.4 is my Server`s LAN IP)
My aim is, I don`t want to use my OVPN windows server as a Jumper. Instead,I need to RDP in to my Remote hosts directly from my OVPN client machine (Win 8.1)
Which means, I connect to my OVPN server (10.8.0.1) .Once I connected, I need to directly RDP to 192.168.1.5 server from my ovpnclient machine
Any help is much appreciated.
really nice tutorial. what if i would like to see the LAN of the network behind the client, from the 10.5.5.0/24 network, please? is that possible?
Hi Remi,
don’t know whether you are still here and willing to help with problems. I’ve set up a OpenVPN Connection to my Raspberry Pi, it works fine so far. I followed the tutorial here
https://www.datenreise.de/raspberry-pi-vpn-server-einrichten-anleitung/
It’s in German, but from the commands you should be easily able to follow.
So, basically my configuraion files are looking like the ones in the tutorial, except from the individual addresses. I can connect to the OpenVPN Server via OpenVPN Clients (Windows and Android, local and internet). The IP adress I am getting is always 10.8.0.6. The problem is now, I can’t browse the other network devices, such as the HDD I connected to the Pi, or the other windows computers in the LAN. The subnet of the LAN is 192.168.178.x, the static IP of my Pi is 192.168.178.65. I’ve set my (phsical) network router to have a route to the network 10.8.0.0 (mask 255.255.255.0) and gw 192.168.178.65. Nothing changed. I tried for long time, but I have not enough experience to get a thorough overview about all the connections here. Could you please give me some advice, how I will be able to access my LAN. If there is any information you need, I will provide it to you.
Thanks! =)
Hi Remi, I just want to say thank you since your post helped me a lot, after two full days of searching around the web.