OpenVPN-Server (standalone mode) not working / not understood

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OpenVPN-Server (standalone mode) not working / not understood

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OpenVPN-Server (standalone mode) not working / not understood
OpenVPN-Server (standalone mode) not working / not understood
2022-03-31 08:22:42
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.0 Build 20220106 Rel.56391

Hello all together :)

 

Pre-issue 1: I haven't even found a user manual for the 605 on TP-Link's websites. I have found on at manualzz, but this is lacking OpenVPN.

Any resources you could recommend to better understand TP-Link's implementation?

 

Pre-issue 2: NAT only? I configured one WAN port with a static IP of 192.168.0.19 (192.168.0.0/24) is my surrounding lab network. The LAN side i defined with 192.168.1.0/24. 

The only way to access a host on the "LAN" port (192.168.1.100) was by adding a NAT rule (portforward) - the LAN-side can access resources in the lab and the Internet without additional effort.

Can I switch off NAT? Or am I handling it wrong?

 

Main issue: I get a connection to an OpenVPN-Server, but don't know how to connect to resources?

My test setup:

- WAN-Interface static IP 192.168.0.19 (192.168.0.0/24 is my lab)

- LAN 192.168.1.0/24 DHCP

- OVPN-server UDP/1194 - local net: 192.168.2.0/24 - IP pool: 192.168.2.32/29

 

I downloaded the client config, just added "remote 192.168.0.19; port: 1194" and connected successfully from lab-LAN to the OVPN-server.

The client has a remote IP of 192.168.2.38.

(I have a log of what the OVPN client did during the connection process - I put it below!) 

 

How can I move from here?

I was not able (maybe by adding a route - tun is not a valid interface for static routes) to access a resource on one of the LAN ports, e.g. a web server I started on LAN2 with 192.168.1.100:8080.

Or should I configure the OVPN-server to use the same network (192.168.1.0/24) as the physical LAN is configured to?

 

Thank you!

 

 

 

Attachment:

part of the log of the OVPN client when connecting

2022-03-30 18:45:05 EVENT: ASSIGN_IP

2022-03-30 18:45:05 NIP: preparing TUN network settings

2022-03-30 18:45:05 NIP: init TUN network settings with endpoint: 192.168.0.19

2022-03-30 18:45:05 NIP: adding IPv4 address to network settings 192.168.2.38/255.255.255.252

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 192.168.2.36/30

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 192.168.2.0/24

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 192.168.2.32/28

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 192.168.2.32/28

2022-03-30 18:45:05 NIP: adding DNS 192.168.2.0

2022-03-30 18:45:05 NIP: adding DNS 8.8.8.8

2022-03-30 18:45:05 NIP: adding match domain ALL

2022-03-30 18:45:05 NIP: adding DNS specific routes:

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 192.168.2.0/32

2022-03-30 18:45:05 NIP: adding (included) IPv4 route 8.8.8.8/32

2022-03-30 18:45:05 Connected via NetworkExtensionTUN

2022-03-30 18:45:05 LZO-ASYM init swap=0 asym=1

2022-03-30 18:45:05 Comp-stub init swap=0

2022-03-30 18:45:05 EVENT: CONNECTED 192.168.0.19:1194 (192.168.0.19) via /UDPv4 on NetworkExtensionTUN/192.168.2.38/ gw=[/]

 

 

  0      
  0      
#1
Options
5 Reply
Re:OpenVPN-Server (standalone mode) not working / not understood
2022-04-01 11:39:32

  @tschloss 

 

As far as I know, NAT is enabled by default and cannot be turned off.
You are using R605 as OpenVPN Server, right?  
Did you add any other parameters when you exported the openvpn configuration file?
Did the tunnel build successfully?
Can you try pinging the local IP shown on the tunnel to see if you can get through?

  0  
  0  
#2
Options
Re:OpenVPN-Server (standalone mode) not working / not understood
2022-04-01 12:29:41

 Thank you!

 

>> As far as I know, NAT is enabled by default and cannot be turned off.
That is bad news. I was looking for a bit more versatile router,.

 

>> You are using R605 as OpenVPN Server, right?  

Yes.

(The goal is: I have a LAN 192.168.0.0/24 behind a DSL NAT Router. I need to make a couple of hosts (12 surveillance cameras in that LAN) accessible from the outside. So the OVPN-Server should be accessible from outside (by forwarding a port to 1194 of the TP-Link-router) and give access to the OVPN-client from there)

=> so the OVPN remote client finally needs to be routed or bridged into the same LAN, the WAN port is part of )

 

>> Did you add any other parameters when you exported the openvpn configuration file?

Yes: two lines with  remote and port


>> Did the tunnel build successfully?

Yes.

In both setups: a) coming from the outer LAN and b) coming from the Internet through a portforward onto the TP-Link-router 1194.


>> Can you try pinging the local IP shown on the tunnel to see if you can get through?

Yes. See terminal  "log":

 

tschloss@Mac-mini % ifconfig

....

utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
    inet 192.168.2.38 --> 192.168.2.38 netmask 0xffffffff

 

tschloss@Mac-mini % ping 192.168.2.38
PING 192.168.2.38 (192.168.2.38): 56 data bytes
64 bytes from 192.168.2.38: icmp_seq=0 ttl=64 time=46.462 ms
64 bytes from 192.168.2.38: icmp_seq=1 ttl=64 time=3.335 ms
64 bytes from 192.168.2.38: icmp_seq=2 ttl=64 time=3.330 ms

  0  
  0  
#3
Options
Re:OpenVPN-Server (standalone mode) not working / not understood
2022-04-08 11:26:02

  @tschloss 

What kind of server are you trying to access? Is that some kind of server that you are able to use IP to log in like the shared folders?

  0  
  0  
#4
Options
Re:OpenVPN-Server (standalone mode) not working / not understood
2022-04-08 11:30:00
I am using the 606 in server mode and want to be accessed from outside the DSL NAT router. I will post an update separately.
  0  
  0  
#5
Options
Re:OpenVPN-Server (standalone mode) not working / not understood
2022-04-08 11:49:30 - last edited 2022-04-08 11:53:19

Thank you for contributing.

 

I tweaked it to work more or less like expected.

 

The key finding was that the built-in OpenVPN-server runs in bridged mode!

 

As soon as I defined the VPN target network identical with the LAN definition of the router itself I had access to the hosts in this network. The tun endpoint no longer hangs in the air.

 

So this is the working setup:

605/router (NAT forced by TPL): 

- WAN = 192.168.100.204 (/24)  [this is because the DSL router's LAN is 192.168.100.0/24 and I need a portforward]

- LAN = 192.168.0.0/24 GW:.1

605/OVPN-server (bridged forced by TPL):

- target = 192.168.0.0/24 GW per definition .1

- pool = 192.168.0.32/28

Upstream context:

DSL-NAT Router:

- WAN = DHCP (with DyDNS)

- LAN = 192.168.100.0/24

- Portforward UDP/11194 >> 192.168.100.204:1194

 

I would have preferred a routed solution (expecting the 605 can be configured as a router - not only a NAT router) but I can live with this limited setup.

 

I also added two lines to the ovpn-client-config:

route-nopull

route 192.168.0.0/24

 

This enables split-tunneling to make sure only this traffic (and not all traffic) is sent into the tunnel.

Caveat: if the client lives in a 192.168.0.0 network this will not work. 

 

So I can access the inner hosts behind a NAT Internet router through a DynDNS IP, forwarded to the OpenVPN-server in the inside of the LAN, bridging remote clients into the LAN.

 

 

  2  
  2  
#6
Options

Information

Helpful: 0

Views: 466

Replies: 5

Related Articles