Access OpenVPN client from LAN

mariourk

mariourk

I'm having trouble with a specific OpenVPN issue. I'm not even sure if this is even possible or adviced.

I'm running OpenVPN on a FreeBSD-server, dedicated to act as an OpenVPN-server. Both the network adapter and the OpenVPN TAP-interface are grouped in a network bridge. The network bridge has a LAN-IP. So far, this setup seems to work fine. I can ping the server, SSH to the server, anything I would want or need.

Code: 
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=0
        ether 58:9c:fc:10:cb:45
        inet 192.168.13.5 netmask 0xffffff00 broadcast 192.168.13.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000
        member: hn0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>

I can even connect with and OpenVPN-client. And when connected, I get an IP that matches the LAN IP-range. No tunnel, no routing, hence the bridged solution. And it works too, I can access anything in the network. So far so good.

However, the thing I'm stuck with, I need to access the connected client from the LAN too. And I can't get this to work. If anyone could steer me in the right direction, it would be most appreciated.
 
Don't put the VPN (tap) interface in the bridge. Just use plain routing between the TAP interface and your LAN interface and push the routes to your VPN clients via OpenVPN.

Here's example:

Enable forwarding in your /etc/rc.conf by adding:
gateway_enable="yes"
Click to expand...
note: don't forget to restart after this or if you want to avoid restart change the sysctl net.inet.ip.forwarding to 1 it's the same variable from rc.conf

In your /usr/local/etc/openvpn/openvpn.conf set the subnet for tap0 interface for example to 10.1.0.0/24 and push the route to the vpn clients for 192.168.13.0/24 The VPN clients will be in 10.1.0.0/24 subnet and you only need to route the traffic between those two subnets.

server 10.1.0.0 255.255.255.0

push "route 192.168.13.0 255.255.255.0"
Click to expand...

The network topology will look like this:
1714642603919.png
 
you need the openvpn server to proxy arp the LAN ip the client gets
you can try to connect the client, manually add an arp entry for its ip with the servers lan mac and see if it works
if it works you can add it to the script the server executes when client connects/disconnects (you'll need sudo/doas for this)
 
You must log in or register to reply here.
Back
Top