OpenVPN "Allow clients to access servers LAN" not working

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://account.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
enigma0
I'm New!
I'm New!
Posts: 6
Joined: Wed Jun 03, 2015 3:47 am

OpenVPN "Allow clients to access servers LAN" not working

Postby enigma0 » Thu Jul 16, 2015 4:07 pm

OpenVPN Server "Allow clients to access servers LAN" not working.

Port is forwarded, connection is established, I get an IP but I cannot access anything on the LAN.

What's missing?

The .ovpn has this but it's all commented out:

Code: Select all

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS


Also, "VPN client settings have been integrated into Network > Network Interface." in release notes (https://www.synology.com/en-us/releaseNote/DS414) indicates that maybe I'm supposed to do something there? Not at all obvious.

My LAN range is gateway:192.168.1.1 (192.168.1.2-192.168.1.254) and the VPN subnet range is (192.168.2.0-192.168.2.255)
Last edited by enigma0 on Tue Aug 04, 2015 9:27 pm, edited 1 time in total.
gcraenen
Trainee
Trainee
Posts: 14
Joined: Thu Dec 05, 2013 11:14 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby gcraenen » Tue Aug 04, 2015 9:04 pm

Got the same problems. For a long time !! The Synology "solution" voor OVPN is a very bad implementation. Do yourself a favor and use the OVPN solution on your gateway/router or setup a dedicated OVPN server on an Ubuntu box. Just works and your not dependent on the Synology developers breaking the OVPN packages with every tiny update of DSM.
norcat
Knowledgeable
Knowledgeable
Posts: 388
Joined: Sat Oct 29, 2011 2:31 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby norcat » Wed Aug 05, 2015 11:08 am

enigma0 wrote:The .ovpn has this but it's all commented out:

What you posted must be just an excerpt. The "Allow clients to access servers LAN" option adds a 'push route' instruction in server config, and client fetches it with the 'pull' instruction in client .ovpn file. I've not had problems accessing server lan devices using either a 10.8.0.x ip (but not easy to know which device is assigned which ip) or the server lan subnet 192.168.x.x ip (will only work if local lan subnet is not in conflict).
DS111 (DSM 5.2) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
DarkSim
I'm New!
I'm New!
Posts: 2
Joined: Wed Aug 05, 2015 11:08 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby DarkSim » Wed Aug 05, 2015 11:09 am

I have the exact same problems, on both my DS214 and my DS212
enigma0
I'm New!
I'm New!
Posts: 6
Joined: Wed Jun 03, 2015 3:47 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby enigma0 » Wed Aug 05, 2015 6:56 pm

Yes it is just an excerpt of what I thought may need tweaking perhaps. Is my configuration a conflicting one?

It's 192.168.1.1 (router) and 192.168.2.1 (VPN).
norcat
Knowledgeable
Knowledgeable
Posts: 388
Joined: Sat Oct 29, 2011 2:31 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby norcat » Thu Aug 06, 2015 12:09 am

enigma0 wrote:Yes it is just an excerpt of what I thought may need tweaking perhaps.

You don't need to tweak anything regarding VPN for this to work.
Is my configuration a conflicting one?

It's 192.168.1.1 (router) and 192.168.2.1 (VPN).

Not sure what you mean by that. If there is a conflict it is between the subnet of the local machine (VPN client) and subnet of remote server machine (Diskstation). If you mean mask is 255.255.255.0, eg 192.168.1.x remote and 192.168.2.x local then that is two different non-overlapping subnets that is not in conflict, and client should be able to reach the remote 192.168.1.x addresses (as well as 10.8.0.x addresses).
DS111 (DSM 5.2) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
enigma0
I'm New!
I'm New!
Posts: 6
Joined: Wed Jun 03, 2015 3:47 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby enigma0 » Sat Aug 08, 2015 5:02 am

So maybe the route being pushed is wrong. Pull is in the .ovpn file. I can't ping or access anything cross subnets.

How do I need to set it up?

I tried setting the dhcp-option to 192.168.1.1 (main router) but that didn't help really.. I can ping from VPN clients to main router address and I get returns but I can't connect to a server on one of those addresses that I can ping and I cannot ping from main .1.1 subnet into .2.1 subnet.

I have my 192.168.1.1 's subnet mask set to 255.255.252.0.
Last edited by enigma0 on Sun Aug 09, 2015 5:32 am, edited 1 time in total.
norcat
Knowledgeable
Knowledgeable
Posts: 388
Joined: Sat Oct 29, 2011 2:31 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby norcat » Sat Aug 08, 2015 11:22 am

enigma0 wrote:So maybe the route being pushed is wrong.

Different operating systems have tools for looking at what routes are in play, for example Windows has a 'route print' command to view from Command Prompt.
How do I need to set it up?

I didn't have to set up anything. It just works, but it wouldn't if the local and remote networks had the same subnet configurations, since then routing is not possible.
I tried setting the dhcp-option to 192.168.1.1 (main router) but that didn't help really..

What is a "main router"?? and what does DHCP has to do with this? You're asking for trouble if you start to change network settings that you don't know what is and what does.

You really need to think in terms of how the network is configured at one location (local), as opposed to at a different location (remote). VPN client has a local network configuration, and it then connects to VPN server at remote network. A route is needed in client for it to be able reach hosts both its local network and the remote network, and that is what VPN Server does automatically with that option, it pushes the server local subnet to the client.
I have my 192.168.1.1 's subnet mask set to 255.255.252.0.

Firstly "192.168.1.1" is a single host address, and a subnet calculator will show you the host range for that mask. That's a supernet with host range 192.168.0.1 to 192.168.3.254. Obviously ..1.1 and ..2.2 is both within that range.
DS111 (DSM 5.2) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
enigma0
I'm New!
I'm New!
Posts: 6
Joined: Wed Jun 03, 2015 3:47 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby enigma0 » Sun Aug 09, 2015 5:30 pm

norcat wrote:Different operating systems have tools for looking at what routes are in play, for example Windows has a 'route print' command to view from Command Prompt.


Ok using 'route print' I get a bunch of IPv4 Route Table entries. One is 192.168.0.0 | 255.255.252.0 . What should I see here?

norcat wrote:I didn't have to set up anything. It just works, but it wouldn't if the local and remote networks had the same subnet configurations, since then routing is not possible.


I'm pretty sure both my subnet configurations are ok but I can't talk to the VPN clients from the router's subnet. The subnet mask of 255.255.252.0 might be an issue though? Like if I am supposed to use static routes or something instead of a larger subnet mask. I don't know.

norcat wrote:What is a "main router"?? and what does DHCP has to do with this? You're asking for trouble if you start to change network settings that you don't know what is and what does.


I don't know what most of this stuff does yet it doesn't work and I still need to change things to make it work... Main router is the 192.168.1.1 router subnet. I can disable the dhcp-option line in the client config if that isn't necessary. Seemed like it might be whats missing.

norcat wrote:You really need to think in terms of how the network is configured at one location (local), as opposed to at a different location (remote). VPN client has a local network configuration, and it then connects to VPN server at remote network. A route is needed in client for it to be able reach hosts both its local network and the remote network, and that is what VPN Server does automatically with that option, it pushes the server local subnet to the client.


Yes that is what I need help with - I don't know how to configure each end so they can talk to each-other. The default settings are not sufficient nor is whatever this checkbox does in Synology's OpenVPN configuration. When I connect to my VPN with a client, it gets an IP of 192.168.2.6 which is not the local subnet of the router I want to be on. It's the subnet the VPN server sets up.

norcat wrote:Firstly "192.168.1.1" is a single host address, and a subnet calculator will show you the host range for that mask. That's a supernet with host range 192.168.0.1 to 192.168.3.254. Obviously ..1.1 and ..2.2 is both within that range.


Yes I gathered that the 255.255.252.0 mask should allow communication from 192.168.0.1 to 192.168.3.254 from this post: https://serverfault.com/questions/88314 ... -168-2-254

I don't know how or what it's doing or if this is the right way to do what I am trying to do - get 192.168.1.0 clients talking two-way to 192.168.2.0 clients.
norcat
Knowledgeable
Knowledgeable
Posts: 388
Joined: Sat Oct 29, 2011 2:31 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby norcat » Sun Aug 09, 2015 11:43 pm

Ok using 'route print' I get a bunch of IPv4 Route Table entries. One is 192.168.0.0 | 255.255.252.0 . What should I see here?

Your local subnet (client) and the remote subnet (server), and a bunch of other things.
Main router is the 192.168.1.1 router subnet

hm? where? (see below)
I can disable the dhcp-option line in the client config if that isn't necessary

It is disabled (commented out) by default, don't enable it unless you know what you're doing.
The default settings are not sufficient nor is whatever this checkbox does in Synology's OpenVPN configuration

Default was sufficient for me, but then I didn't have conflicting lans in client and server. The checkbox just adds a push route instruction for server lan in server config, which client then pulls. Depending on client you may receive error message saying that client could not add route if the route is a problem. Manually adding routes, if that is even possible to avoid such a problem, is outside my knowledge.
Yes I gathered that the 255.255.252.0 mask should allow communication from 192.168.0.1 to 192.168.3.254

Yes, but only for one destination. If that is client lan then it would block access to server if that is the ..2.0. I'm still very much confused by your descriptions what is your server lan and what is your client lan.
what I am trying to do - get 192.168.1.0 clients talking two-way to 192.168.2.0 clients.

Two way? That is unusual, I can no more than point you for example here Making OpenVPN Route Both Ways With TUN which says it can be done and indicate how. It would require custom server instructions though, which is highly advanced.
DS111 (DSM 5.2) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
norcat
Knowledgeable
Knowledgeable
Posts: 388
Joined: Sat Oct 29, 2011 2:31 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby norcat » Tue Aug 11, 2015 12:49 pm

norcat wrote:I've not had problems accessing server lan devices using either a 10.8.0.x ip (but not easy to know which device is assigned which ip) or the server lan subnet 192.168.x.x ip (will only work if local lan subnet is not in conflict).

I need to correct myself here about the 10.8.0.x statement, just tested this and I was not able to reach other server lan devices with the 10.8.0.x subnet (this is the OpenVPN standard dynamically assigned VPN client ip as configured in VPN Server in DSM). I was sure I had done this before also, but something may have changed or I remembered wrong. There are routes added in client for this too, but only leading to VPN server.
DS111 (DSM 5.2) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
enigma0
I'm New!
I'm New!
Posts: 6
Joined: Wed Jun 03, 2015 3:47 am

Re: OpenVPN "Allow clients to access servers LAN" not workin

Postby enigma0 » Thu Aug 13, 2015 3:04 pm

I was able to get 2-way pinging but unfortunately I think that nature of the VPN is still posing a problem for using services hosted locally.

I noticed if I go to whatsmyip.org while connected to the VPN, I still have the same outward IP as I had before. I believe it was because of this that I couldn't say access 192.168.1.1 and 192.168.1.181's web services.

What I think I need now is to utilize

Code: Select all

redirect-gateway
. I turned that settings on in the client config and I now have an external IP that matches the external IP of the 192.168.1.0 LAN. All is good except I cannot access the internet or local web services.

So again I think I am back to square one on another front. Something else needs more config line(s). Not sure what.
jcdu63
I'm New!
I'm New!
Posts: 1
Joined: Sun Feb 14, 2016 4:41 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby jcdu63 » Sun Feb 14, 2016 4:50 pm

Hi,

I do not know whether you solved this problem, but in my case, it was just a matter of changing the 10.8.0.x default IP range into something else (namely 10.3.0.x).
Strange...

redirect-gateway def1 is also uncommented for me.


J-C
anarky321
I'm New!
I'm New!
Posts: 8
Joined: Wed Feb 17, 2016 2:01 am

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby anarky321 » Wed Feb 17, 2016 10:03 pm

im also not able to view LAN over openvpn

Wed Feb 17 15:59:42 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
Wed Feb 17 15:59:42 2016 Windows version 6.2 (Windows 8 or greater)
Wed Feb 17 15:59:42 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
Wed Feb 17 15:59:46 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 17 15:59:46 2016 UDPv4 link local (bound): [undef]
Wed Feb 17 15:59:46 2016 UDPv4 link remote: [AF_INET]66.26.1.223:1194
Wed Feb 17 15:59:46 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Feb 17 15:59:48 2016 [maxim] Peer Connection Initiated with [AF_INET]66.26.1.223:1194
Wed Feb 17 15:59:51 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Feb 17 15:59:51 2016 open_tun, tt->ipv6=0
Wed Feb 17 15:59:51 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{EC3057FC-E9E0-47DF-9622-054EAB9EA374}.tap
Wed Feb 17 15:59:51 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.3.6/255.255.255.252 on interface {EC3057FC-E9E0-47DF-9622-054EAB9EA374} [DHCP-serv: 192.168.3.5, lease-time: 31536000]
Wed Feb 17 15:59:51 2016 Successful ARP Flush on interface [23] {EC3057FC-E9E0-47DF-9622-054EAB9EA374}
Wed Feb 17 15:59:54 2016 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Wed Feb 17 15:59:54 2016 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Wed Feb 17 15:59:54 2016 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Wed Feb 17 15:59:54 2016 Initialization Sequence Completed
bvrulez
I'm New!
I'm New!
Posts: 3
Joined: Tue Dec 29, 2015 4:34 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby bvrulez » Sat Apr 08, 2017 7:24 pm

I have the same problem. I can successfully connect to the OpenVPN-Server on my Synology from over the internet. The clients gets the tunnel IP 10.8.0.6. and logs on the server show that it connected. The server is supposed to be reachable at 10.8.0.5, but I cannot ping it from the client. I also cannot ping anything in the remote LAN.

The gateway of the remote LAN (where the OpenVPN-server is located) is an Ubiquity Edge Router. Do I have to put a route on that router so that it is forwarding traffic directed the 10.8.0.1/24 subnet to the OpenVPN-server? Of course, I have port forwarding from the router to the Synology. But do I also have to add an extra route on the router because the gateway of the remote LAN is not located on the Synology? I read about that here: https://openvpn.net/index.php/open-source/documentation/howto.html.

Return to “VPN Server”

Who is online

Users browsing this forum: No registered users and 3 guests