OpenVPN cannot access all the networks (local yes, but not the remote LAN)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OpenVPN cannot access all the networks (local yes, but not the remote LAN)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OpenVPN cannot access all the networks (local yes, but not the remote LAN)
OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-18 16:25:40 - last edited 2022-04-18 16:39:21
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: ER7206(UN)_V1_1.2.0 Build 20220117

Hi communauty!

 

I have set up 2 ER7206 for a LAN2LAN usage. I set it up using IPSEC. It work's perfectly in a local usage, ie machines connected behind router can see each other.

 

It looks like this:

LAN1 <-> Main site [ER7206] <- internet -> remote site [ER7206]  <-> LAN2

 

Then I have set up a VPN access at the main site (on LAN1).

Before last firmware, I have only access to LAN1 using PPTP

With new firmware ( ER7206(UN)_V1_1.2.0 Build 20220117 ), VPN access from LAN1 is working with L2TP and PPTP: connected from home to LAN1 I can access all machines on LAN1 and LAN2: Good!

(For L2TP I have to change some registry keys in  my W10 box)

 

But I have an issue using OpenVPN (new feature of firmware and preferred client VPN). The server setup is simple and fast but the connection give me access only to LAN1. No way to access LAN2.

 

OpenVPN client give me an IP in a dedicated range outsite LAN1 (as set up) with a fix net mask 255.255.255.252 and without gateway!

 

Here is what I have (french) coonceted using OpenVPN from home

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: xxxx
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.100.6
   Masque de sous-réseau. . . . . . . . . : 255.255.255.252
   Passerelle par défaut. . . . . . . . . :

 

LAN1 is like 192.168.10.0/24 Router 192.168.10.1

IP get using OpenVPN is in 192.168.100.0/24 (yes /24 and I have a /30 netmask)  : no way to get an IP from an IP pool: we have only an input for an IP no a VPN IP Pool.

 

Basically, I though I ad to define one VPN IP pool per VPN access (L2TP, PPTP, OpenVPN), but VPN IP pool is used only by PPTP and L2TP

It was the same issue using PPTP with previous firmware: the IP was on LAN but no route to LAN2. It is fixed now.

 

I have the following using PPTP when connected from home:

  Suffixe DNS propre à la connexion. . . :
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.10.8
   Masque de sous-réseau. . . . . . . . . : 255.255.255.255
   Passerelle par défaut. . . . . . . . . : 0.0.0.0

 

I have the following using L2TP when connected from home:

  Suffixe DNS propre à la connexion. . . :
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.10.8
   Masque de sous-réseau. . . . . . . . . : 255.255.255.255
   Passerelle par défaut. . . . . . . . . : 0.0.0.0

 

=> It is consistent

 

My IP is linked on LAN to a 192.168.10.xx IP  set up in user configuration: everything is OK!

 

For OpenVPN: Is it a firmware issue or did I miss something?

 

Thanks for help!

 

  0      
  0      
#1
Options
9 Reply
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-20 04:46:00

  @Didier31 

I only test the Standalone mode, when set up OpenVPN server there is Remote Subnets option, and it can cover more than one subnets. 

 

I did not really test if it also works for Site-to-Site different sites' subnets. But you may have a try

 

 

  0  
  0  
#2
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-20 20:16:08

Hi all and  @Somnus !


Thanks for the answer.

But when I set up OPEN VPN server I have no remote options!

You are talking about an Open VPN client on the ER7206 box.

 

I use an OpenVPN serveur on ER7206 and connect from home with my PC using OpenVPN connect. I see only the remote lan, not the other lan accessed with LAN 2 LAN VPN.

 

Thanks.

 

 

  0  
  0  
#3
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-20 23:43:47

  @Didier31 

 

I haven’t been in exactly the same situation, but that’s my take on your issue for whatever it’s worth.

 

LAN1 is like 192.168.10.0/24 Router 192.168.10.1

IP get using OpenVPN is in 192.168.100.0/24 (yes /24 and I have a /30 netmask) “

 

Is the 192.168.100.0/24 subnet already on LAN1? I mean LAN1 by itself, no OpenVPN involved. Is the routing between this subnet and the 192.168.10.0/24 subnet already working? If not, try to configure your LAN1 OpenVPN server on the 192.168.10.0/24 subnet instead. Make sure the VPN IP Pool does not overlap with your local DHCP pool in this subnet.

 

BTW, I’m surprised that you can use the /30 netmask in the OpenVPN IP Pool. My ER7206 let me set /29 max (same firmware version).

 

OpenVPN client give me an IP in a dedicated range outside LAN1 (as set up) with a fix net mask 255.255.255.252 and without gateway!

 

That’s how the output of ‘ipconfig’ looks like when you use OpenVPN. Run ‘route print’ to get the whole picture.

Kris K
  0  
  0  
#4
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-23 15:56:46 - last edited 2022-04-23 15:58:17

Hi   @KJK !

 

Thanks for the answer.

 

My Lan1 is 192.168.10.0/24

My Lan2 is 192.168.11.0/24

 

LAN1 is the entry point of OpenVPN (PPTP and L2TP also which are running fine, but need to modify W10 registry)

 

It is not possible to set OpenVPN on the same local subnet. Possible using a /27 but same issue.

 

You are right fir the ipconfig. Here is the route print (in french :)) using OpenVPN IP in 192.168.100.0/24

IPv4 Table de routage
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.124     25
      93.8.29.169  255.255.255.255      192.168.1.1    192.168.1.124    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.124    281
    192.168.1.124  255.255.255.255         On-link     192.168.1.124    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.124    281
     192.168.10.0    255.255.255.0    192.168.100.5    192.168.100.6    257
   192.168.19.255  255.255.255.255         On-link      192.168.19.1    291
    192.168.100.6  255.255.255.255         On-link     192.168.100.6    257

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.100.6    257
        224.0.0.0        240.0.0.0         On-link     192.168.1.124    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.100.6    257
  255.255.255.255  255.255.255.255         On-link     192.168.1.124    281
  255.255.255.255  255.255.255.255         On-link      192.168.19.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.147.1    291
===========================================================================
Itinéraires persistants :
  Adresse réseau    Masque réseau  Adresse passerelle Métrique
          0.0.0.0          0.0.0.0     192.168.10.1  Par défaut
===========================================================================

 

I also add a local route on my PC: the same result

 

I set what you say (IP Open VPN in local subnet 192.168.10.248/29

=> Same result.

 

here is the route print:

===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.124     25
      93.8.29.169  255.255.255.255      192.168.1.1    192.168.1.124    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.124    281
    192.168.1.124  255.255.255.255         On-link     192.168.1.124    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.124    281
     192.168.10.0    255.255.255.0   192.168.10.253   192.168.10.254    257
   192.168.10.248  255.255.255.248   192.168.10.253   192.168.10.254    257
   192.168.10.252  255.255.255.252         On-link    192.168.10.254    257
   192.168.10.254  255.255.255.255         On-link    192.168.10.254    257
   192.168.10.255  255.255.255.255         On-link    192.168.10.254    257
     192.168.19.0    255.255.255.0         On-link      192.168.19.1    291
     192.168.19.1  255.255.255.255         On-link      192.168.19.1    291
   192.168.19.255  255.255.255.255         On-link      192.168.19.1    291
    192.168.147.0    255.255.255.0         On-link     192.168.147.1    291
    192.168.147.1  255.255.255.255         On-link     192.168.147.1    291
  192.168.147.255  255.255.255.255         On-link     192.168.147.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.10.254    257
        224.0.0.0        240.0.0.0         On-link     192.168.1.124    281
        224.0.0.0        240.0.0.0         On-link      192.168.19.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.147.1    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.10.254    257
  255.255.255.255  255.255.255.255         On-link     192.168.1.124    281
  255.255.255.255  255.255.255.255         On-link      192.168.19.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.147.1    291
===========================================================================
Itinéraires persistants :
  Adresse réseau    Masque réseau  Adresse passerelle Métrique
          0.0.0.0          0.0.0.0     192.168.10.1  Par défaut
===========================================================================

 

Note: 192.168.19 and 147 are for VM ware local network. Dismiss them.

 

But If I add manually a route on my PC using

route add 192.168.11.0 mask 255.255.255.0 192.168.10.253

 

=> It works.

But users are not allowed to add route. They don't kwnoa what it is!

 

Thanks for your help, but now I have a new issue: how to add this route automatically?

 

Didier

 

 

 

  0  
  0  
#5
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-23 17:39:19

Hi @KJK !

 

I respond to myself!

 

For OpenVPN, we can use the OpenVPN client. It connects alone directly to the server BUT but with default ovpn file, clients only see the lan of openVPN server. If you want that connected clients see another part of your network you will have to add route in the VPN session.

 

 

2 solutions:

- Bad solution: add route on client side (admin privs ... command line)

- Good solution: add route into ovpn file!

 

I have found the solution but I did not find a full documentation of ovpn file.

 

Short, just add the route accessible to client in the profile

For my case: (adapt to your cases, or add several routes)

route 192.168.11.0 255.255.255.0

 

And just reconnect !

 

Thanks.

  0  
  0  
#6
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-23 22:44:12

  @Didier31 

 

It’s nice to see that you have found a solution that works for you. I looks like OpenVPN is a quite flexible product and can be successfully configured in various ways.

 

I configure my OpenVPN server on local subnets with established routes. I have 4 subnets in my local network and I can use any of them as ‘Local Network’ in the OpenVPN Server configuration. No additional routes are necessary. I also edit the .ovpn file to change the server IP (remote) address to my DDNS name as well as add my own DNS servers and local DNS domain.

 

It is worth noting that this TP-Link implementation of OpenVPN has unfortunate an “undocumented feature.” It pushes the ‘Local Network’ IP as the primary DNS server to clients, which is terribly wrong if you enter there true local network IP instead of the local network default gateway. Moreover it pushes 8.8.8.8 (Google) as the secondary DNS server. These IP addresses cannot be removed but they can be pushed down the list of DNS servers with the ‘dhcp-option DNS’ directive.

 

Cheers!

Kris K
  0  
  0  
#7
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-04-25 17:49:54

Hi   @KJK !

 

Thanks for your answer! I need to add a route in my ovpn file. It is OK (I changed also the IP to my DDNS)

Your configuration is my next step.

But I did not success in defining several subnets on 2 sites: 2 subnets by site, 1 subnet strictly "private" without internet access but see the other private subnet, the other subnet has internet access and see everything, sites are linked together with LAN2LAN IPsec VPN.

 

Can you give some explanations on how your network is and how you have defined it in ER7206 (no controler)?

(LAN, VLAN, route between subnets...)

 

Thanks for your time!

cool

  0  
  0  
#8
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-05-03 20:05:42

  @Didier31 

 

This is a pretty late reply, but I couldn’t answer earlier.

 

I’m not sure if my network configuration will be of any help to you, because ER7206 is not at the centre of my network. I have a routing switch and all inter-VLAN traffic is handled by that switch and does not reach the router at all. I use that router only for Internet traffic. The router sits at the edge of my Management VLAN and as such it is not configured to be VLAN-aware. However I did define some static routes on it to tell the router how to reach the subnets on my other VLANs.

 

As for the OpenVPN configuration, I think that you have configured the OpenVPN server the opposite way to my configuration. In my configuration the ‘Local Network’ is always one of the subnets on the OpenVPN server side. The ‘IP Pool’ can be just any private IP range as long as it does not conflict with the subnets on the VPN server side.

 

However, such a configuration will give you access only to one local subnet you have entered in the OpenVPN server configuration. The routers standalone GUI does not make it possible to add any additional local subnets. I think you can do it with Omada, but I do not have any Omada controller to verify it.

 

The implementation of OpenVPN on ER7206 uses a long time depreciated topology called ‘net30’ and it is very limited. This topology has been replaced with a topology called ‘Subnet’ which works much better. I’m not a big VPN user, but if I were one and I would want to use OpenVPN, I would look for some Open Source implementation instead.

Kris K
  0  
  0  
#9
Options
Re:OpenVPN cannot access all the networks (local yes, but not the remote LAN)
2022-05-07 17:43:18

Hi   @KJK !

 

Thanks for your answer.

You are right OpenVPN uses a net30 architecture wich offer only 2 IP on the VPN client side (net + IP local IP remote + broadcast). It allows to isolate (or not) each client.

 

Thanks for your help!My favorite VPN client connection is OpenVPN, because L2TP is "special" on windows side (need to modify some registry key, fully explained on TP link support. But I am not for changing registry key). Open VPN connect is so ... simple and efficient!

 

TP link Open VPN implementation should offer more simple options/help:

- how to generate different client keys (just restart the service and export OVPN file)

- allow to ad route to remote LAN (accessible with site2site)

- ...

 

In the other hand OpenVPN documentation is not very detailled on ovpn file.

 

But GUI is fine!

 

I can't wait next firmware with bug correction (in log, It is ever 169.254.11.22  that is connecting to the GUI when using VPN) and new features!

 

Regards!

cool

 

 

  0  
  0  
#10
Options

Information

Helpful: 0

Views: 3365

Replies: 9

Related Articles