HOWTO connect to hosts on a remote network using OpenVPN and some routing

13 January 2013 — 41 Comments

OpenVPN is a very powerful tool to connect to a remote network in a secure and easy way. But while it’s quite easy to set it up (see my post about OpenVPN on Raspberry Pi), getting all the pieces together takes some more network understanding and configuration. I created an image to show what’s going on when a OpenVPN client connects to the server.

OpenVPN networking

The grey network is the local network you’re connecting to, the green network is created by OpenVPN. After a successful connection, the OpenVPN server can ‘push’ a route to the OpenVPN client to make it aware of the grey network that is available through the OpenVPN connection. In this case you’d add this setting to the OpenVPN server:

push "route 10.5.5.0 255.255.255.0"

Now that the OpenVPN client knows how to find the Linux server on the grey network, it should be working, right? Nope. The Linux server does not know about the green network. So, when a OpenVPN client connects with a 10.8.0.x ip-address, this server does not know where to send the response to. When this happens, the Linux server sends its traffic to the default gateway of the local network: the router of the grey network.

But unfortunately, the router does not know about the green network neither. Since 10.8.0.x is a non-routable address (RFC 1918), it drops the packets because it has no way of knowing where to find this private network. To the OpenVPN client, this may look like there’s something wrong with the VPN connection, because even a simple ping will not work and times out. In reality, this is a routing problem.

The solution? Make the Linux server or at least the router aware of the green network, and tell them where to send traffic to this network. This is done by adding a route like this:

route add -net 10.8.0.0/24 gw 10.5.5.5

Assuming the local network ip-address of the OpenVPN server is 10.5.5.5.

This way the hosts in the grey network know about the green network and send their traffic to the OpenVPN server. Of course the OpenVPN server knows how to reach the OpenVPN client and all is working!

You can extend this further and add routes to the network of the VPN client and make hosts on both networks communicate to each other. This is useful for example to connect a branch-office to the corporate network. I’ll write about this in more detail some other time.

Hopefully this post brings some insight in what goes on when using networks and VPN connections.

41 responses to HOWTO connect to hosts on a remote network using OpenVPN and some routing

  1. 

    Hi Remi,
    I’m trying to solve my OpenVPN issues for one week and it seems that i’m out of luck.
    I found your blog with more clear explanations, but I’m still not able to solve my network routing problem.
    So, my system look like this:

    I am able to connect to my server from client PC, i’m able to ping my vpn server ip 10.8.0.1 and thats it. i’m not able to ping my router, NAS and even get through to internet with my home ip address.

    The server configuration is:
    local 192.168.1.109
    dev tun
    ifconfig 10.8.0.1 10.8.0.2
    secret static.key
    push “route 192.168.1.0 255.255.255.0”

    Client configuration is:
    remote a.b.c.d
    dev tun
    ifconfig 10.8.0.2 10.8.0.1
    secret static.key

    I have tried to add routing rule in my router, but that didn’t help me.
    Router is D-Link 825. I set:
    destination IP – 10.8.0.1
    netmask – 255.255.255.255
    gateway – 192.168.1.109

    Also i have tried NAT’ing traffic with command for RasPi:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    But that also didn’t solve my problem.

    I feel, that i have missed a small thing that i’m not able to see it…

    Regards

    • 

      Hi Justas,
      Can you confirm the OpenVPN client gets its route from the OperVPN server? In other words, when you run ‘route -n’, does it show the 192.168.1.x network?

      If that is not the case, that is the problem. If it is listed, then I’d suggest having a look at the routes back to the 10.8.0.x network, like I described in my post. Not just 10.8.0.1, but the whole /24 network (netmask 255.255.255.0). You see, the OpenVPN client has another address in this range and the router should know about the whole network.

      Good luck!

  2. 

    It looks like forgot to add picture to my post.
    So, here it is: http://s9.postimage.org/pv0eg5a4f/Network_configuration.png

    • 

      Looks nice!
      I see now that you are using windows. In my previous comment, where I said ‘route -n’, try ‘netstat -rn’ instead. That will work on Windows and Mac OSX, even on Linux 😉

      • 

        Yes, we have a line with 192.168.1.x network in server’s routing table.
        To be more sure about my information (because i’m dummy in this area), i have collected routing tables from client pc (green), server Raspi (white) and info about NIC in client’s pc (green again)

        I have made several experiments with different settings and what i found:
        First of all i have tried to change routing rule in router, like: dest ip – 10.8.0.0 ; netmask – 255.255.255.0 ; gateway – 192.168.1.109. Also this rule is applied to WAN interface in router. I’m not able to select anything else. But this routing rule change didn’t give me any positive visible result.
        Secondly, i have enabled masquerade nat’ing. After doing this i was able to ping and explore my local home network devices.
        Eventually, i noticed when the client gets connected to vpn sever, it does not get default gateway ip address. Also subnet look weird for me, with an ending of 252 instead of 255, but maybe it is ok. So, i added default gateway for client manually. By doing this windows told me, that this connection now has access to the internet. Hooray!
        Even after that last step routing rule in home router does not give any effect when it is on or off.

        But now there are a few more things. I need somehow to route all traffic through VPN tunnel. Client PC is using OpenVPN GUI.
        And… Ok, I’m still interested about the problem why i was not able to reach network behind RasPi with vpn server. I’d like to see also the same system working normally in the way as you described.
        Networking gets more and more interesting 🙂

        Regards

  3. 

    Dear Friend,

    I have configured Openvpn (slackware13.37) machine, it is working fine, and tested that it is working.

    I have configured
    1. System1 linux machine for Openvp Client setup and started the service it is running fine
    2. System2 linux machine I have configured Openvpn(server ), it is working fine.

    The System1 openvpn client & System2 Openvpn server is connected,
    I have checked the log and I am able to ping the ping the tun0 openvpn server ip from openvpn client.

    And In Openvpn server I am able to ping the openvpn client tun0 IP address.

    In openvpn server config file I have added the option for (push “redirect-gateway def1 bypass-dhcp”) . But my openvpn client machine get hunged.

    In System1 while run the command
    wget -qO- ifconfig.me/ip
    it showing System2(openvpn server) IP address. But it show System1 Public IP address

    Please help me, how to fix this issue.

    By
    Mike

    • 

      Hi Mike,

      When you connect the client to the VPN server, how does the routing table look like on the client? Its default gateway should be sent to the VPN server. Have you restarted the OpenVPN server after the config change? Please provide some more info and I’ll have a look!

  4. 

    I read your other post and the explanations from this one (picture is brilliant). I finally understood how this works and what I needed to do in order to make it work.
    Thank you!

  5. 

    Hi Remi, Thanks for the article, it helps me a lot in understanding it.
    However I still have many troubles on the OpenVPN configuration, one of it is like your diagram, on the server side, however what if the client side, which also consists of a private LAN, behind a router just like the source, an openvpn client connected to the source and I want the traffic between the 2 LANs are able to talk to each other like a PC in 10.5.5.0/24 able to browse another PC in the client network , what kind of configuration need to be done in the Client LAN? Thank you very much, if not mistaken its called site-to-site setup?

    • 

      Glad you like it! What you want should’t be too hard. Just make sure the OpenVPN server is enabled for routing, and that you push the necessary routes to the clients. This is all documented here, so you probably already did this. Keep in mind the openVPN client on the red network, is in fact a router as well. Enable that one for routing, too. If it’s not the default gateway for the clients in this network, you need something to make sure the clients know how to reach the VPN: probably a static route on the default gateway would be easiest.

      Also look out for firewalls, you might want to disable them first to get it to work, then enable them again and fine-tune to allow all traffic that is needed.

      Have fun with it and if you run into trouble and have an error message please let me know.

  6. 

    Hi, thank you very much for this tutorial.
    I can use VPN with the server but I have some problems connecting to other pc in the LAN.
    This is my configuration: my VPN client is at my office and I have my home LAN 192.168.1.0/24, my VPN client has tunnel address 10.8.06 and my VPN server 10.8.0.1, internal address 192.168.1.2

    here is my VPN server’s routing table:

    Destination Gateway Genmask Flags Metric Ref Use Iface
    default http://www.asusnetwork 0.0.0.0 UG 0 0 0 eth0
    10.8.0.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
    10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

    here is my home router’s routing table:

    Destination Gateway Genmask Flags Metric Ref Use Iface
    213.205.24.67 * 255.255.255.255 UH 0 0 0 WAN
    239.255.255.250 * 255.255.255.255 UH 0 0 0 LAN
    10.8.0.0 192.168.1.2 255.255.255.0 UG 1 0 0 LAN
    192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
    169.254.0.0 * 255.255.0.0 U 0 0 0 MAN
    default 213.205.24.67 0.0.0.0 UG 0 0 0 WAN

    routing in VPN server is enabled.
    Thank you very much for help.
    Bye

    • 

      You’re welcome, glad you like it!

      What happens when you ping a pc in your home network from your VPN client? Do you push the 192.168.1.0/24 route to your clients?

      • 

        Request timed out. Before inserting routing rules I can connect to vpn server, now I cannot anymore. Same for other pc on LAN.
        I pushed route on my client, here is part of my client’s routing table:

        Network Destination Netmask Gateway Interface Metric
        10.8.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30
        10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
        10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
        10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
        127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
        .255.255.255 255.255.255.255 On-link 127.0.0.1 306
        192.168.1.0 255.255.255.0 10.8.0.5 10.8.0.6 30
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
        224.0.0.0 240.0.0.0 On-link 10.8.0.6 286
        .255.255.255 255.255.255.255 On-link 127.0.0.1 306
        .255.255.255 255.255.255.255 On-link 10.8.0.6 286

        thanks bye

      • 

        Other tests: now I can ping the VPN server, on 192.168.1.2 and 10.8.0.1, from VPN client, but if I push route on VPN server:

        route add -net 10.8.0.0/24 gw 192.168.1.2

        I cannot ping VPN server anymore, on both 192.168.1.2 and 10.8.0.1
        Thanks bye

      • 

        You should ‘push’ a route to the network behind the OpenVPN server, not the network the OpenVPN server is using internally. What is the network you want to reach?

      • 

        I want to reach 192.168.1.0/24 network

      • 

        Then add:
        push “route 192.168.1.0 255.255.255.0”
        and it will push this route to your VPN clients.

  7. 

    Hi Remi,

    Excellent article! I finally understand why my internet on my iphone client isnt working. But I am not sure how to solve the problem unfortunately. My server is setup on Windows 7 laptop. You mentioned how to do the routing on linux but can you tell me how to do it on windows? I am guessing I have to go to the router settings by typing my default gateway (192.168.0.1) on a web browser. Correct? But I am not sure what to do there. I don’t see any option for “Destination IP.”

    In case you need my config files:

    Server config file:

    local 192.168.0.12
    port 1723
    proto udp
    dev tun
    ca “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt”
    cert “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt”
    key “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key”
    dh “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem”
    server 10.27.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push “route 192.168.0.0 255.255.255.0”
    push “dhcp-option DNS 64.x.y.z”
    push “dhcp-option DNS 64.x.n.m”
    push “redirect-gateway def1”
    keepalive 10 120
    cipher BF-CBC
    comp-lzo
    max-clients 100
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

    Iphone client config file:

    tls-client
    dev tun
    proto udp
    remote a.b.c.d 1723
    pull
    redirect-gateway def1
    comp-lzo
    ca ca.crt
    cert client.crt
    key client.key
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ns-cert-type server
    cipher BF-CBC
    resolv-retry infinite

    Hope you can help me. Thanks!

  8. 

    Hi Remi,

    Great blog! Makes things really easy to understand..

    Kind regards,

    Mark Dijsselbloem

  9. 

    Good post. I learn something totally new and challenging on blogs I stumbleupon
    every day. It’s always useful to read through articles from other authors and use something from other web sites.

  10. 

    Hi,

    I was wondering, instead of telling you linux server that the network 10.8.0.0 exist, shouldn’t you use NAT instead ?

    Then the packet comming from 10.8.0.0, (for the linux server), will look like they are comming from 10.5.5.5 No ?

    That’s how I did it, then I do not have to tel over server how to lookup for 10.8.0.0

    • 

      Thanks for your feedback. That can be done, yes. The down side of it, is that you cannot see what client connects to your local services. Since they are NATted, they all have the same ip address. So, it depends on how it’s being used.

  11. 

    Thanks for the nice post. I am able to ping the machines on the server side but not able to ping the machines on the client side. I am using openvpn-as as server.

    Need help,

  12. 

    Great post, this helped me a lot. However, don’t you want to add persistent routing so that this will hold after a reboot?

    From what I understand you need to create or modify a route file for your interface.
    Something like:
    echo “10.8.0.0/24 via 10.5.5.5” >> /etc/sysconfig/network-scripts/route-eth1

    • 

      Hi Peter,

      The OpenVPN software does this on (re)connect so also after a reboot. This way, the route is only there when it actually works (i.e. when the OpenVPN connection is active).

      • 

        Hi Remi, your article just gave me extra thought about what I really want to do with openvpn …. but I can not make it to access hosts from remote network. Could you please help me while I’m also investigating what could be wrong.

        Here is my Windows client config file:

        client
        nobind
        dev tap
        proto udp
        remote xxx.xxx.xxx.xxx 1194
        ca c:\\OVPN\\ca.crt
        cert c:\\OVPN\\user.crt
        key c:\\OVPN\\user.key
        comp-lzo
        verb 3

        and here is my server configuration:

        port 1194
        proto tcp
        dev tun
        ca ca.crt
        cert server.crt
        key server.key
        dh dh1024.pem
        client-to-client
        max-clients 10
        server 10.8.0.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        push “route 192.168.0.0 255.255.255.0”
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        status openvpn-status.log
        log /var/log/openvpn.log
        verb 4

        when I connect to OpenVPN server I get 10.8.0.6 IP and server 10.8.0.1 and I can access its apache and so on .. but there is another server with IP: 192.168.0.122 and I can not ping it or access it.

        I did as you proposed:

        route add -net 10.8.0.0/24 gw 192.168.0.176

        didn’t help so I tryed:

        route add -net 10.8.0.0/24 gw 10.8.0.1

        didn’t help

        what should I correct to be able to access that another server on remote network from my vpn-client?

  13. 

    Any thought for my unit? ( http://www.spectra.com/ibm/ibm-systems/16/index.htm ) Thinking of doing these configurations.

  14. 

    Hi I have just got a Raspberry Pi and set up an OpenVPN. With reference to the grey and green networks in the diagram. How can I make this work if instead of a trying to connect to a Linux server on the grey network I want to connect to a Windows client on the grey network from a Windows client on the green network i.e. to remote desktop? E.g. what ip address would be seen for the Windows client on the grey network from the point of view of the Windows client on the green network.

  15. 

    I am having a problem with a vpn PPTP client which is running on a tp link router 841N. The connection is made to a windows2008 server. The thing is that I want to reach devices behind the 841N router. Portforwarding is not gona work because these devices are simmular and uses the same port but have different IP adresses. My idea was some kind of static routing. which routes the trafic from the VPN tunnel through the router and back. But how is this to be setup?

    Regards,

    Carlo

  16. 

    Hi Remi,
    Trust you are doing great 🙂

    Great Article!! But I am having an issue with my configuration.

    I have a Windows server 2012 R2 configured as an OVPN server and a client machine is Windows 8.1 Pro

    My requirement is to connect(basically RDP) to a remote site securely via openVPN.
    The remote sub network is 192.168.1.0/24 . I need to RDP in to the following servers
    192.168.1.5,192.168.1.6 and 192.168.1.7(these machines are all standalone servers.Not joined to domain.)

    When I connect with my OVPN server, my clients get 10.0.8.6 IP. using that I am able to login to the server via RDP and from there, I can remote to any other servers in that network because it has a 192.168.1.0 NIC (192.168.1.4 is my Server`s LAN IP)

    My aim is, I don`t want to use my OVPN windows server as a Jumper. Instead,I need to RDP in to my Remote hosts directly from my OVPN client machine (Win 8.1)

    Which means, I connect to my OVPN server (10.8.0.1) .Once I connected, I need to directly RDP to 192.168.1.5 server from my ovpnclient machine

    Any help is much appreciated.

  17. 

    really nice tutorial. what if i would like to see the LAN of the network behind the client, from the 10.5.5.0/24 network, please? is that possible?

  18. 

    Hi Remi,
    don’t know whether you are still here and willing to help with problems. I’ve set up a OpenVPN Connection to my Raspberry Pi, it works fine so far. I followed the tutorial here

    https://www.datenreise.de/raspberry-pi-vpn-server-einrichten-anleitung/

    It’s in German, but from the commands you should be easily able to follow.

    So, basically my configuraion files are looking like the ones in the tutorial, except from the individual addresses. I can connect to the OpenVPN Server via OpenVPN Clients (Windows and Android, local and internet). The IP adress I am getting is always 10.8.0.6. The problem is now, I can’t browse the other network devices, such as the HDD I connected to the Pi, or the other windows computers in the LAN. The subnet of the LAN is 192.168.178.x, the static IP of my Pi is 192.168.178.65. I’ve set my (phsical) network router to have a route to the network 10.8.0.0 (mask 255.255.255.0) and gw 192.168.178.65. Nothing changed. I tried for long time, but I have not enough experience to get a thorough overview about all the connections here. Could you please give me some advice, how I will be able to access my LAN. If there is any information you need, I will provide it to you.

    Thanks! =)

Trackbacks and Pingbacks:

  1. Building an economical OpenVPN server using the Raspberry Pi « Remi Bergsma's blog - January 2, 2013

    […] HOWTO connect to hosts on a remote network using OpenVPN and some routing […]

  2. Secure browsing via untrusted wifi networks using OpenVPN and the Raspberry Pi « Remi Bergsma's blog - January 28, 2013

    […] green) where to send traffic for theOpenVPN clients. If you omit this step, this traffic gets lost. More info in this post. Short story: add this static route to your default gateway. If it’s Linux, you’d […]

  3. OpenVPN routing for remote hosts | 0ddn1x: tricks with *nix - March 26, 2013

    […] https://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-… […]

  4. Yet another routing issue in OpenVPN – Cannot access local machines while on VPN | DL-UAT - January 17, 2015

    […] This short article on how to set up routing with OpenVPN to connect to hosts on my LAN […]

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s