OpenVPN server-client expanding the scope (accessing client-side machines from the server)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OpenVPN server-client expanding the scope (accessing client-side machines from the server)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OpenVPN server-client expanding the scope (accessing client-side machines from the server)
OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-20 12:46:22
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.1.1 Build 20210723

Hi all,

 

I've been playing around with two Omada ER605 routers, router 1 as an OpenVPN server (on a known public IP address), and router 2 as an OpenVPN client (on a dynamic IP address behind a NAT + firewall).

This works all fine from the client to the server side (e.g. a machine connected to router 2 can ping any machine connected to router 1), but not the other way around (e.g. a machine connected to router 1 cannot ping machines connected to router 2).


According to the OpenVPN website this is possible by "expanding the scope" to expose the subnet of the client to the server (and other clients): https://openvpn.net/community-resources/how-to/#scope

I've tried some things with setting up static routes on the OpenVPN server router (1), but without success.

 

Did anybody manage to get a similar setup running, or is it currently simply not possible with Omada hardware?

Are there any plans by the Omada developers to make this possible, preferably by simply enabling some checkboxes in the OpenVPN server/client setup GUI?

 

 

in short: my goal is to reach a setup similar to a site-to-site VPN, but using the OpenVPN server-client model because of the NAT+Firewall on the client site.

 

best regards!

Hans

 

  0      
  0      
#1
Options
9 Reply
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-22 03:49:47

@HansvSchoot 

 

How do you access the VPN Client when on the Server's local LAN network? Using the local IP address?

Try to access the IP address assigned from VPN IP pool, can you get a reply from the VPN client?

 

Just being curious about it

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-23 08:48:22

@Virgo 

Thanks for the reply!

 

To make things a bit more clear:

 

Router 1 (OpenVPN server):
WAN IP: 145.X.Y.Z
LAN: 192.168.32.1 / 24
OpenVPN (server) Local IP: 192.168.100.1
OpenVPN (server) Remote IP: 192.168.100.6

 

Client A behind Router 1:
LAN 192.168.32.71 / 24


Router 2 (OpenVPN client):
WAN IP: unknown/dynamic (NAT+Firewall, 192.168.1.X)
LAN: 192.168.29.1 / 24
OpenVPN (client) Local Remote IP: 192.168.100.5

 

Client B behind Router 2:
LAN: 192.168.29.220 / 24

 

Client B can ping everything I want it to reach:
192.168.29.1 (router 2 on LAN)
192.168.32.1 (router 1 on LAN via OpenVPN)
192.168.32.71 (client A on LAN via OpenVPN)
it can also ping 192.168.100.1, 192.168.100.6, but not 192.168.100.5


Client A can only ping:
192.168.32.1 (router 1 on LAN)
192.168.100.1 (router 1 on OpenVPN)
192.168.100.6 (OpenVPN remote IP for router 1 on router 2, this times out when I disconnect router 2)
it cannot ping:
192.168.29.1 (router 2 on LAN, via OpenVPN. Destination unreachable from my ISP network stack, so router 1 sends this to 0.0.0.0)
192.168.29.220 (client B on LAN via OpenVPN. Also destination unreachable)

 

I believe the OpenVPN people refer to this (have A connect to B) as "extending the scope", and it would make for a very cool feature in the Omada OpenVPN implementation (I have not found other routers that do this, only properly configured linux boxes running the OpenVPN server&client)

 

Routing info:
Router 1 has 2 entries in the routing table for the 192.168.100.0/24 range:
Destination IP/subnets    next hop        interface
192.168.100.0/24        192.168.100.2        R432-OpenVPN-Server
192.168.100.2        0.0.0.0        R432-OpenVPN-Server

 

Router 2 has 3 entries in the routing table, for 192.168.100.0/24 AND 192.168.32.0/24:
192.168.32.0/24        192.168.100.5        OpenVPN-client-R429
192.168.100.0/24    192.168.100.5        OpenVPN-client-R429
192.168.100.5        0.0.0.0        OpenVPN-client-R429

 

I tried fixing this by adding a static route on router 1:
192.168.29.0/24, next hop 192.168.100.2 
(interface is not selectable if next hop is chosen, and OpenVPN is also not an option in the interface dropdown list)


This results in ping timeouts, which means the router sends it somewhere but it is not picked up at the other end?


I've also tried 192.168.100.1, .5 and .6 as next hop IPs, but this seems to get ignored as I still get a "destination unreachable"

 

Anyway thanks for thinking along, and do let me know if you have other ideas to try!

 

  0  
  0  
#3
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-24 09:09:50

@HansvSchoot 

Just my perspective:

Unfortunately, that's how client to site works, static routing won't help.

If you want to build a bidirectional communication, the only option on Controller is to set IPsec Site-to-site VPN.

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-24 10:52:50

Ok, I was afraid of that, as IPsec Site-to-Site cannot be done without port-forwarding on the NAT connected router.

 

It is possible with an OpenVPN client-to-site setup to expose the client-side subnet (see the openvpn.net website https://openvpn.net/community-resources/how-to/#scope ), but unfortunately this is not implemented in the OpenVPN options in Omada. If TP-Link added this feature, that would make for a very unique selling point IMHO.

  0  
  0  
#5
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-24 12:46:43

@HansvSchoot 

 

Why not use L2TP or PPTP Site to site.

Create a user like this on site with fixed ip

 

 

 

And like this on remote site with dynamic ip

 

 

 

 

 

 

 

 

 

 

 

 

 

  0  
  0  
#6
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-24 13:03:47

@HansvSchoot 

 

Another option is IPsec Site to site.

 

I use site to site with dynamic ip in both end. but you have to use NO-IP or something like that.

 

if you are behind nat you have to set local id and remote id, work very wel.

 

  0  
  0  
#7
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2021-09-27 12:13:06

@shberge 

 

Thanks, that actually seems to work!
Now I need to do some more reading to see what the different IP range settings are for, and if it is possible to do this with multiple site-to-site L2TP clients and if those can also connect to each other. 

If I figure out a fully working solution I'll post the details here.

  0  
  0  
#8
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2022-02-15 23:15:40
Hey ! Did you manage to setup point to point access ?
  0  
  0  
#9
Options
Re:OpenVPN server-client expanding the scope (accessing client-side machines from the server)
2022-02-17 09:27:05

  @altary 

 

Hi!

Yes and no.


I managed to get a site-to-site setup working, but only between two omada ER605 routers (A and B) and their clients (A1, A2, B1,B2). Meaning all clients could contact the other clients: A1 could talk to A2, B1 & B2, and B1 could also reach B2, A1 and A2. 
However I wanted to expand this with a third and fourth router (C and D), and also have their clients be able to talk to all other clients. I managed to connect C and D, and have their clients (C1, C2, D1, D2) be able to talk with A1 and A2, and have A1/A2 be able to talk to all other clients (B1/2, C1/2, D1/2). However, the clients on the secondary routers (B1/2, C1/2, D1/2) could not talk directly with eachother, so B1 could NOT reach C1, C2, D1, D2.

So the setup is partially usable, but when using more than two routers you need to make sure that any shared resources are all hooked up to the main router A, otherwise you get into problems.

 

Let me know if you need details for the setup, if so I can dig them out of my configurations.

 

 

 

  0  
  0  
#10
Options

Information

Helpful: 0

Views: 1536

Replies: 9