OpenVPN cannot access all the networks (local yes, but not the remote LAN)
Hi communauty!
I have set up 2 ER7206 for a LAN2LAN usage. I set it up using IPSEC. It work's perfectly in a local usage, ie machines connected behind router can see each other.
It looks like this:
LAN1 <-> Main site [ER7206] <- internet -> remote site [ER7206] <-> LAN2
Then I have set up a VPN access at the main site (on LAN1).
Before last firmware, I have only access to LAN1 using PPTP
With new firmware ( ER7206(UN)_V1_1.2.0 Build 20220117 ), VPN access from LAN1 is working with L2TP and PPTP: connected from home to LAN1 I can access all machines on LAN1 and LAN2: Good!
(For L2TP I have to change some registry keys in my W10 box)
But I have an issue using OpenVPN (new feature of firmware and preferred client VPN). The server setup is simple and fast but the connection give me access only to LAN1. No way to access LAN2.
OpenVPN client give me an IP in a dedicated range outsite LAN1 (as set up) with a fix net mask 255.255.255.252 and without gateway!
Here is what I have (french) coonceted using OpenVPN from home
Suffixe DNS propre à la connexion. . . :
Adresse IPv6 de liaison locale. . . . .: xxxx
Adresse IPv4. . . . . . . . . . . . . .: 192.168.100.6
Masque de sous-réseau. . . . . . . . . : 255.255.255.252
Passerelle par défaut. . . . . . . . . :
LAN1 is like 192.168.10.0/24 Router 192.168.10.1
IP get using OpenVPN is in 192.168.100.0/24 (yes /24 and I have a /30 netmask) : no way to get an IP from an IP pool: we have only an input for an IP no a VPN IP Pool.
Basically, I though I ad to define one VPN IP pool per VPN access (L2TP, PPTP, OpenVPN), but VPN IP pool is used only by PPTP and L2TP
It was the same issue using PPTP with previous firmware: the IP was on LAN but no route to LAN2. It is fixed now.
I have the following using PPTP when connected from home:
Suffixe DNS propre à la connexion. . . :
Adresse IPv4. . . . . . . . . . . . . .: 192.168.10.8
Masque de sous-réseau. . . . . . . . . : 255.255.255.255
Passerelle par défaut. . . . . . . . . : 0.0.0.0
I have the following using L2TP when connected from home:
Suffixe DNS propre à la connexion. . . :
Adresse IPv4. . . . . . . . . . . . . .: 192.168.10.8
Masque de sous-réseau. . . . . . . . . : 255.255.255.255
Passerelle par défaut. . . . . . . . . : 0.0.0.0
=> It is consistent
My IP is linked on LAN to a 192.168.10.xx IP set up in user configuration: everything is OK!
For OpenVPN: Is it a firmware issue or did I miss something?
Thanks for help!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I only test the Standalone mode, when set up OpenVPN server there is Remote Subnets option, and it can cover more than one subnets.
I did not really test if it also works for Site-to-Site different sites' subnets. But you may have a try
- Copy Link
- Report Inappropriate Content
Hi all and @Somnus !
Thanks for the answer.
But when I set up OPEN VPN server I have no remote options!
You are talking about an Open VPN client on the ER7206 box.
I use an OpenVPN serveur on ER7206 and connect from home with my PC using OpenVPN connect. I see only the remote lan, not the other lan accessed with LAN 2 LAN VPN.
Thanks.
- Copy Link
- Report Inappropriate Content
I haven’t been in exactly the same situation, but that’s my take on your issue for whatever it’s worth.
“LAN1 is like 192.168.10.0/24 Router 192.168.10.1
IP get using OpenVPN is in 192.168.100.0/24 (yes /24 and I have a /30 netmask) “
Is the 192.168.100.0/24 subnet already on LAN1? I mean LAN1 by itself, no OpenVPN involved. Is the routing between this subnet and the 192.168.10.0/24 subnet already working? If not, try to configure your LAN1 OpenVPN server on the 192.168.10.0/24 subnet instead. Make sure the VPN IP Pool does not overlap with your local DHCP pool in this subnet.
BTW, I’m surprised that you can use the /30 netmask in the OpenVPN IP Pool. My ER7206 let me set /29 max (same firmware version).
“OpenVPN client give me an IP in a dedicated range outside LAN1 (as set up) with a fix net mask 255.255.255.252 and without gateway!”
That’s how the output of ‘ipconfig’ looks like when you use OpenVPN. Run ‘route print’ to get the whole picture.
- Copy Link
- Report Inappropriate Content
Hi @KJK !
Thanks for the answer.
My Lan1 is 192.168.10.0/24
My Lan2 is 192.168.11.0/24
LAN1 is the entry point of OpenVPN (PPTP and L2TP also which are running fine, but need to modify W10 registry)
It is not possible to set OpenVPN on the same local subnet. Possible using a /27 but same issue.
You are right fir the ipconfig. Here is the route print (in french :)) using OpenVPN IP in 192.168.100.0/24
IPv4 Table de routage
===========================================================================
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.124 25
93.8.29.169 255.255.255.255 192.168.1.1 192.168.1.124 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.124 281
192.168.1.124 255.255.255.255 On-link 192.168.1.124 281
192.168.1.255 255.255.255.255 On-link 192.168.1.124 281
192.168.10.0 255.255.255.0 192.168.100.5 192.168.100.6 257
192.168.19.255 255.255.255.255 On-link 192.168.19.1 291
192.168.100.6 255.255.255.255 On-link 192.168.100.6 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.100.6 257
224.0.0.0 240.0.0.0 On-link 192.168.1.124 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.100.6 257
255.255.255.255 255.255.255.255 On-link 192.168.1.124 281
255.255.255.255 255.255.255.255 On-link 192.168.19.1 291
255.255.255.255 255.255.255.255 On-link 192.168.147.1 291
===========================================================================
Itinéraires persistants :
Adresse réseau Masque réseau Adresse passerelle Métrique
0.0.0.0 0.0.0.0 192.168.10.1 Par défaut
===========================================================================
I also add a local route on my PC: the same result
I set what you say (IP Open VPN in local subnet 192.168.10.248/29
=> Same result.
here is the route print:
===========================================================================
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.124 25
93.8.29.169 255.255.255.255 192.168.1.1 192.168.1.124 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.124 281
192.168.1.124 255.255.255.255 On-link 192.168.1.124 281
192.168.1.255 255.255.255.255 On-link 192.168.1.124 281
192.168.10.0 255.255.255.0 192.168.10.253 192.168.10.254 257
192.168.10.248 255.255.255.248 192.168.10.253 192.168.10.254 257
192.168.10.252 255.255.255.252 On-link 192.168.10.254 257
192.168.10.254 255.255.255.255 On-link 192.168.10.254 257
192.168.10.255 255.255.255.255 On-link 192.168.10.254 257
192.168.19.0 255.255.255.0 On-link 192.168.19.1 291
192.168.19.1 255.255.255.255 On-link 192.168.19.1 291
192.168.19.255 255.255.255.255 On-link 192.168.19.1 291
192.168.147.0 255.255.255.0 On-link 192.168.147.1 291
192.168.147.1 255.255.255.255 On-link 192.168.147.1 291
192.168.147.255 255.255.255.255 On-link 192.168.147.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.10.254 257
224.0.0.0 240.0.0.0 On-link 192.168.1.124 281
224.0.0.0 240.0.0.0 On-link 192.168.19.1 291
224.0.0.0 240.0.0.0 On-link 192.168.147.1 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.10.254 257
255.255.255.255 255.255.255.255 On-link 192.168.1.124 281
255.255.255.255 255.255.255.255 On-link 192.168.19.1 291
255.255.255.255 255.255.255.255 On-link 192.168.147.1 291
===========================================================================
Itinéraires persistants :
Adresse réseau Masque réseau Adresse passerelle Métrique
0.0.0.0 0.0.0.0 192.168.10.1 Par défaut
===========================================================================
Note: 192.168.19 and 147 are for VM ware local network. Dismiss them.
But If I add manually a route on my PC using
route add 192.168.11.0 mask 255.255.255.0 192.168.10.253
=> It works.
But users are not allowed to add route. They don't kwnoa what it is!
Thanks for your help, but now I have a new issue: how to add this route automatically?
Didier
- Copy Link
- Report Inappropriate Content
Hi @KJK !
I respond to myself!
For OpenVPN, we can use the OpenVPN client. It connects alone directly to the server BUT but with default ovpn file, clients only see the lan of openVPN server. If you want that connected clients see another part of your network you will have to add route in the VPN session.
2 solutions:
- Bad solution: add route on client side (admin privs ... command line)
- Good solution: add route into ovpn file!
I have found the solution but I did not find a full documentation of ovpn file.
Short, just add the route accessible to client in the profile
For my case: (adapt to your cases, or add several routes)
route 192.168.11.0 255.255.255.0
And just reconnect !
Thanks.
- Copy Link
- Report Inappropriate Content
It’s nice to see that you have found a solution that works for you. I looks like OpenVPN is a quite flexible product and can be successfully configured in various ways.
I configure my OpenVPN server on local subnets with established routes. I have 4 subnets in my local network and I can use any of them as ‘Local Network’ in the OpenVPN Server configuration. No additional routes are necessary. I also edit the .ovpn file to change the server IP (remote) address to my DDNS name as well as add my own DNS servers and local DNS domain.
It is worth noting that this TP-Link implementation of OpenVPN has unfortunate an “undocumented feature.” It pushes the ‘Local Network’ IP as the primary DNS server to clients, which is terribly wrong if you enter there true local network IP instead of the local network default gateway. Moreover it pushes 8.8.8.8 (Google) as the secondary DNS server. These IP addresses cannot be removed but they can be pushed down the list of DNS servers with the ‘dhcp-option DNS’ directive.
Cheers!
- Copy Link
- Report Inappropriate Content
Hi @KJK !
Thanks for your answer! I need to add a route in my ovpn file. It is OK (I changed also the IP to my DDNS)
Your configuration is my next step.
But I did not success in defining several subnets on 2 sites: 2 subnets by site, 1 subnet strictly "private" without internet access but see the other private subnet, the other subnet has internet access and see everything, sites are linked together with LAN2LAN IPsec VPN.
Can you give some explanations on how your network is and how you have defined it in ER7206 (no controler)?
(LAN, VLAN, route between subnets...)
Thanks for your time!
- Copy Link
- Report Inappropriate Content
This is a pretty late reply, but I couldn’t answer earlier.
I’m not sure if my network configuration will be of any help to you, because ER7206 is not at the centre of my network. I have a routing switch and all inter-VLAN traffic is handled by that switch and does not reach the router at all. I use that router only for Internet traffic. The router sits at the edge of my Management VLAN and as such it is not configured to be VLAN-aware. However I did define some static routes on it to tell the router how to reach the subnets on my other VLANs.
As for the OpenVPN configuration, I think that you have configured the OpenVPN server the opposite way to my configuration. In my configuration the ‘Local Network’ is always one of the subnets on the OpenVPN server side. The ‘IP Pool’ can be just any private IP range as long as it does not conflict with the subnets on the VPN server side.
However, such a configuration will give you access only to one local subnet you have entered in the OpenVPN server configuration. The routers standalone GUI does not make it possible to add any additional local subnets. I think you can do it with Omada, but I do not have any Omada controller to verify it.
The implementation of OpenVPN on ER7206 uses a long time depreciated topology called ‘net30’ and it is very limited. This topology has been replaced with a topology called ‘Subnet’ which works much better. I’m not a big VPN user, but if I were one and I would want to use OpenVPN, I would look for some Open Source implementation instead.
- Copy Link
- Report Inappropriate Content
Hi @KJK !
Thanks for your answer.
You are right OpenVPN uses a net30 architecture wich offer only 2 IP on the VPN client side (net + IP local IP remote + broadcast). It allows to isolate (or not) each client.
Thanks for your help!My favorite VPN client connection is OpenVPN, because L2TP is "special" on windows side (need to modify some registry key, fully explained on TP link support. But I am not for changing registry key). Open VPN connect is so ... simple and efficient!
TP link Open VPN implementation should offer more simple options/help:
- how to generate different client keys (just restart the service and export OVPN file)
- allow to ad route to remote LAN (accessible with site2site)
- ...
In the other hand OpenVPN documentation is not very detailled on ovpn file.
But GUI is fine!
I can't wait next firmware with bug correction (in log, It is ever 169.254.11.22 that is connecting to the GUI when using VPN) and new features!
Regards!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3561
Replies: 9
Voters 0
No one has voted for it yet.