OpenVPN "Allow clients to access servers LAN" not working

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
User avatar
Rusty1281
Seeker
Seeker
Posts: 1755
Joined: Fri Jun 03, 2011 10:51 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby Rusty1281 » Sat Apr 08, 2017 7:43 pm

I have had several problem like these but never again with Viscosity client app from SparksLab (https://www.sparklabs.com/viscosity/), works like a charm with OpenVPN setup. I use it daily on multiple Macs and tested it on Win OS as well, also no problem.
Synology DS412+ (4x3TB WD red - RAID 5) | Synology DS211j (2x2TB WD green - RAID1) | RT1900AC
andyh747
I'm New!
I'm New!
Posts: 7
Joined: Mon Apr 10, 2017 8:08 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby andyh747 » Mon Apr 10, 2017 8:16 pm

Ok I'm also struggling with this! I've also tried Viscosity but no success either.

I can, like others, successfully connect to the VPN server on the remote synology station. The remote LAN I'm trying to access has the IP 192.168.1.x and the VPN is set with an IP of 192.168.2.x. When connected I can successfully access the remote NAS by using 192.168.2.1 (within the remote LAN the NAS has an IP of 192.168.1.250). I cannot however access any of the other LAN side clients e.g. the router on 192.168.1.1 or anything else.

Anyone solved this and can advise what I need to do to access remote LAN side clients through the VPN?
BobW
Trainee
Trainee
Posts: 13
Joined: Wed Sep 18, 2013 3:32 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby BobW » Sun Apr 30, 2017 11:58 am

Facing same problem cannot connect LAN with LAN IP (192.168.x.x.) or domainname when VPN is on. I've DNS server running on the NAS with domain and sub-domains for the LAN network and everybody can connect through the domain-names (e.g. nas.mydomain.com), but when VPN (OpenVPN) is on nothing can be reached by domain-name or LAN IP (192.168.x.x.) only by (VPN IP 10.10.x.x). even (name.local) cannot connect. Anybody find a solution yet.?
Badack
Trainee
Trainee
Posts: 19
Joined: Wed Aug 01, 2012 9:39 am
Location: Belgium

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby Badack » Thu May 04, 2017 12:37 pm

I have the same problem.
I opened a ticket with the support but without any solution :(

I don't know how to solve it.
I deployed a lot of VPN solution with synology NAS perfectly and here, i'm facing this issue without any idea how can i solved it.
coram
I'm New!
I'm New!
Posts: 4
Joined: Sun May 21, 2017 9:24 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby coram » Sun May 21, 2017 9:31 pm

Hello,

I have your same problem. These days I setup the Synology VPN server, and I want try the "Allow client access servers LAN" option, without success.
But doing some test, I found that there is a problem with the firewall. If I disable totally the firewall, the option works perfect (I can also ping and using remote desktop the LAN devices). If I turn on again the synology firewall, the option stop working.
I also try to open the ports 3389 (Remote Desktop) on the synology to try the remote desktop via VPN, but also with this exception rule, the firewall block everything that pass from the VPN to LAN.
So at the moment the solution is turn off the firewall, but it isn't a really nice idea :?
Probably a bug in the firewall?
Someone has other ideas?
coram
I'm New!
I'm New!
Posts: 4
Joined: Sun May 21, 2017 9:24 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby coram » Sun May 21, 2017 11:33 pm

Ok, I think I found the solution! :D
In the previous post, I supposed that it is the firewall to deny access to LAN from VPN.
Infact disabling the disk station firewall, everything works great. But obviously it isn't possible mantain disabled the firewall :lol:

So I studied the disk station firewall function using the manual.
To allow the VPN accessing the LAN follow these steps:
1) Go to Control Panel -> Security -> Firewall;
2) Select default rule profile;
3) Edit rules;
4) In global interfaces remove the VPN OpenVPN server rule
Image
5) Go in LAN interface (always in rule profile editing of firewall) and set "Deny Access" as default rule for the interface, then add the rule for VPN Server as in the picture
Image
6) Go in VPN interface and open all the local ports required to your protocols. Remember to set "Deny Access as default rule also for this interface. If you want ping from VPN to LAN, add the ICMP rule as in the image
Image
7) Click Ok and now you can try ping, using remote desktop and access network folders. To test use the normal LAN IP, not the VPN assigned one.

Regards
Coram
bvrulez
I'm New!
I'm New!
Posts: 3
Joined: Tue Dec 29, 2015 4:34 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby bvrulez » Thu Aug 17, 2017 10:52 pm

Thanks a lot to Italy for sharing with us this awesome answer! I was searching months because I thought that my VPN was broken or that my work wifi was somehow blocking my access to my home LAN (however that should be possible). It never occured to me that I would have to open up the ports from the VPN tunnel to the local LAN. Because, why would I built a tunnel to my home LAN and then want it to be blocked?! So, thanks a lot for pointing to that solution! Sadly, I did find it after months because some other guy pointed at it, because I was not receiving any emails from this forum here by default.
coram
I'm New!
I'm New!
Posts: 4
Joined: Sun May 21, 2017 9:24 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby coram » Fri Aug 18, 2017 11:06 am

Your welcome! :D
I hope that this discussion will be marked as "Solved" to help other people find the solution rapidly.
kayak83
I'm New!
I'm New!
Posts: 8
Joined: Wed Jun 07, 2017 9:16 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby kayak83 » Fri Sep 22, 2017 11:16 pm

I'm having this issue still. About to give up on it.

Clients can connect to the VPN server on the Synology from out of the local network using OpenVPN, but they cannot map the shared drive. I just want to access files remotely. SFTP works but a mapped drive would be awesome.
coram
I'm New!
I'm New!
Posts: 4
Joined: Sun May 21, 2017 9:24 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby coram » Sat Sep 23, 2017 8:00 am

Hello,

You have to do 2 things:
1) open the necessary port on synology firewall following my previous post for network share https://social.technet.microsoft.com/Fo ... inserverPN

2) when you add the mapped drive use the local ip like \\192.168.2.34\MyUserFolder

Hope this help

Regards
Coram
kayak83
I'm New!
I'm New!
Posts: 8
Joined: Wed Jun 07, 2017 9:16 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby kayak83 » Mon Sep 25, 2017 7:54 pm

I don't believe it's a firewall problem as disabling the synology firewall for testing doesn't have any effect.
MMD
Versed
Versed
Posts: 292
Joined: Fri Oct 10, 2014 5:53 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby MMD » Mon Sep 25, 2017 9:16 pm

Using SMB?
Disable firewall on (Windows?) client?
kayak83
I'm New!
I'm New!
Posts: 8
Joined: Wed Jun 07, 2017 9:16 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby kayak83 » Mon Sep 25, 2017 9:38 pm

Here's where I'm currently at:

Remote client successfully connects to VPN.
- Connection is shown in VPN Server connections list.
Dynamic P address for the VPN Server is set to 10.0.0.1.
- Client connects as "10.0.0.6"
"Allow clients to access server's LAN"- checked
Enable compression on VPN link- unchecked
LAN IP is 192.168.0.x- i.e.- Synology has an IP of 192.168.0.x

Disabling Synology firewall has no effect.
Disabling clients (windows 10) firewall has no effect.
Client's network discovery is turned on.

I'm led to believe I've got some sort of routing issue.
MMD
Versed
Versed
Posts: 292
Joined: Fri Oct 10, 2014 5:53 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby MMD » Mon Sep 25, 2017 10:17 pm

Please check:

Client and NAS firewalls disabled simultaneously?

Three subnets are involved:
1. Local 192.168.0.0/24
2. VPN 10.0.0/24
3. ???
These three may not be the same.

You write that SFTP works, so routing should be ok.
Is samba running?
How are you mapping a drive?

Does your clients Windows 10 have group policy editor?
If so, check:
Computer configuration -> Windows settings -> Security settings -> Local policy -> Security options
Post all values under column Security setting for NTLM entries under column Policy.
Or even better post screenshot.
dwightery
I'm New!
I'm New!
Posts: 2
Joined: Tue Dec 06, 2016 7:08 pm

Re: OpenVPN "Allow clients to access servers LAN" not working

Postby dwightery » Thu Dec 07, 2017 5:41 am

I've had a similar issue in the past, and it's come up again this last week. When this occurs, I can vpn in no problem from remote locations, but cannot reach devices "behind" the vpn endpoint, the synology device. My "home" (on the vpn side) network is 192.168.10.0/24, since most places I connect from, are often 192.168.1.0/24, and 192.168.2.0/24, so I put my own network to a different subnet. the VPN network is 10.8.0.0/24 as well.

Been testing this on my mac.

When the VPN connection comes up, I can ping the "vpn server" address of 10.8.0.1 but, I cannot ping my home gateway, 192.168.10.1. This is because, when the VPN link comes up, it does -not- add a route for the 192.168.10.0/24 network, via the gateway "10.8.0.1". If I add this route manually, while the VPN is up, I can then reach my home network devices "behind" the synology VPN server:

Code: Select all


(bring VPN up)

dwights-mbp-2:~ root#
dwights-mbp-2:~ root# ping -c 4 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=57.552 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=47.105 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=41.453 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=58.989 ms

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 41.453/51.275/58.989/7.293 ms
dwights-mbp-2:~ root# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
Request timeout for icmp_seq 0

--- 192.168.10.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

ping fails ..


dwights-mbp-2:~ root# netstat -rn | grep 192.168
default            192.168.43.1       UGSc           33        2     en0
192.168.43         link#4             UCS             1        0     en0
192.168.43.1/32    link#4             UCS             1        0     en0
192.168.43.1       a2:cc:2b:82:a3:22  UHLWIir        41      299     en0   1197
192.168.43.78/32   link#4             UCS             0        0     en0
192.168.43.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       15     en0
dwights-mbp-2:~ root# route add -net 192.168.10.0/24 10.8.0.1
add net 192.168.10.0: gateway 10.8.0.1
dwights-mbp-2:~ root# ping -c 5 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=63 time=86.113 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=63 time=53.443 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=63 time=83.463 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=63 time=45.565 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=63 time=55.113 ms

--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.565/64.739/86.113/16.705 ms
dwights-mbp-2:~ root# netstat -rn | grep 192.168
default            192.168.43.1       UGSc           28        2     en0
192.168.10         10.8.0.1           UGSc            1        5   utun2
192.168.43         link#4             UCS             1        0     en0
192.168.43.1/32    link#4             UCS             1        0     en0
192.168.43.1       a2:cc:2b:82:a3:22  UHLWIir        36      309     en0   1184
192.168.43.78/32   link#4             UCS             0        0     en0
192.168.43.255     ff:ff:ff:ff:ff:ff  UHLWbI          0        2     en0
dwights-mbp-2:~ root#

shut vpn down, you can see that the route for 192.168.10 via 10.8.0.1 is removed

dwights-mbp-2:~ root# netstat -rn | grep 192.168
default            192.168.43.1       UGSc           36        2     en0
192.168.43         link#4             UCS             1        0     en0
192.168.43.1/32    link#4             UCS             1        0     en0
192.168.43.1       a2:cc:2b:82:a3:22  UHLWIir        41      327     en0   1197
192.168.43.78/32   link#4             UCS             0        0     en0
192.168.43.255     ff:ff:ff:ff:ff:ff  UHLWbI          0        2     en0

bring VPN up again, manually add the route

dwights-mbp-2:~ root# route add -net 192.168.10.0/24 10.8.0.1
add net 192.168.10.0: gateway 10.8.0.1
dwights-mbp-2:~ root# ping -c 5 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=63 time=46.120 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=63 time=271.388 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=63 time=341.078 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=63 time=47.887 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=63 time=55.770 ms

--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 46.120/152.449/341.078/127.525 ms
dwights-mbp-2:~ root#


so what's happening for me, is that when the VPN connection comes up, it doesn't add a route for the remote network via the VPN server's endpoint ip (10.8.0.1). When the VPN link is dropped, however, it does delete that route.

As I mentioned, I had seen this before, but, after rebooting my home router, switch, and the synology itself, the route still doesn't get added. I DO remember hitting this before, but no way can I remember what I did to fix it back then :).

dwight

Return to “VPN Server”

Who is online

Users browsing this forum: No registered users and 3 guests