Can't connect to LAN devices via OpenVPN but remote desktop works
I am having trouble seeing a Windows device on my home LAN when I connect trough OpenVPN on my router Archer AX1800.
When physically on the network, I can see the device and connect to it: remote desktop via LAN IP, mapped network drive via the IP or nickname, SMB, etc. However, when I am off the network and use the VPN to see my home LAN, nothing works EXCEPT remote desktop to the device via the LAN IP 192.168.0.xx and accessing the router via the IP.
I have tried this from both my phone using SMB via the Android app Solid Drive, and from a Windows device. Same results: only Remote Desktop to the LAN device connects when using OpenVPN.
I have the router configured with the following, among other things:
- Dynamic DNS via TP-Link and is bound.
- OpenVPN Client Access: Internet and home network
-The OVPN Config file I use has the remote line with the tplinkdns.com so I don't get stuck with a reset IP when out of the network.
What should I do to troubleshoot this further?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi,
The Windows firewall has separate rules for local connections and remote connections. By default the firewall blocks nearly all access for devices trying to connect from a remote network.
A connection coming in via the OpenVPN of the Archer AX1800 is seen as a remote connection.
By the way, when the Remote Desktop feature is being activated in Windows the firewall settings for this service are automatically changed for you to allow connections from any IP addresses of remote networks.
- Copy Link
- Report Inappropriate Content
Confirm that the DNS resolution is working correctly. Ensure that the OpenVPN clients receive the correct DNS server settings so they can resolve local hostnames.
Try accessing devices using both IP addresses and hostnames to see if DNS resolution is causing the problem. Examine the OpenVPN server and client logs for any error messages or warnings. These logs can provide valuable information about the connection process and any issues encountered.
- Copy Link
- Report Inappropriate Content
Forgive my ignorance. I thought the VPN would make my remote device appear as a LAN device, as to not need to open ports to the internet at the router level and keep it more secured. Is there a way to configure my Windows device or the VPN to accept these VPN clients as if they were on the LAN instead of remote? If there's a suggested guide to follow, I'd be happy to give it a shot. Or if you have a better suggestion for allowing remote access while keep security high.
- Copy Link
- Report Inappropriate Content
@benisfroms Thanks for the suggestions. How much of this is possible using OpenVPN in the router or my own open VPN clients? I am unfortunately finding documentation suggesting this is not possible at the router level for OpenVPN.
- Copy Link
- Report Inappropriate Content
From the point of view of the Archer router both networks are local (if you've kept the default settings that would be 192.168.0.0/24 for the LAN and 10.8.0.0/24 for the VPN), but for the Windows computer only the network 192.168.0.0/24 is local.
If you connect a computer via an OpenVPN client to the OpenVPN server of your Archer AX1800, then that computer will be assigned a client IP address like 10.8.0.2, for example, and to the Windows computer inside your home network this is not a local IP address.
And that is the only OpenVPN mode that is currently implemented in TP-Link's home routers (referred to as "TUN" mode), with one exeption.
At present one specific home router model supports the "other" mode that allows the OpenVPN client to be truely part of the local network. (read about it here: https://community.tp-link.com/en/home/forum/topic/637010)
But there is no need to open any ports on the router in your case. You just need to tell the Windows firewall of the computer your are trying to access which remote IP addresses are allowed to connect to whatever service.
For SMB that would be the firewall rule for "File and Printer Sharing (SMB-In)".
To do that open the "Windows Defender Firewall with Advanced Security". Either seach for it via Windows' search feature (usualy to be found in the Taskbar) or run "wf.msc" via command line.
Then just go by the screenshot I've added below. Make sure you select the rule that is actually "Enabled" -> "Yes". For testing you can select "Any IP address" (the option framed in blue), but for maximum security it will be better to add only the addresses used by the OpenVPN (via the "Add" button).
If you want to access or make use of other services on the home network's Windows computer as well via the VPN connection, then of course you have to do the same for those services.
- Copy Link
- Report Inappropriate Content
Your instructions were extremely helpful. Thank you for that and the explanation. I tested this a moment ago in file explorer, and I can now connect to the LAN device using the local IP! Excellent!
Right now I tested opening the firewall to an IP range because it changed with each VPN disconnect. Is there a way to assign or request a dedicated IP (e.g. 10.8.0.1) for the client when going through the VPN?
Side note: when trying the bookmarked device name on Windows, it doesn't work. I also noticed that my SMB connection through the android device still won't play along either. Not sure if I have to change the host address. It's configured to contact the host at: smb//192.168.0.XXX with SMB2/3.
- Copy Link
- Report Inappropriate Content
a_pensive_panda wrote
Right now I tested opening the firewall to an IP range because it changed with each VPN disconnect. Is there a way to assign or request a dedicated IP (e.g. 10.8.0.1) for the client when going through the VPN?
The Archer AX1800's "Advanced" -> "VPN Server" -> "OpenVPN" menu shows all the option that TP-Link has made available to you. And a client device cannot request a particular IP address.
The best you could do is to reduce the IP range the AX1800's OpenVPN Server is allowed to use by modifying the "Netmask" value. A netmask of 255.255.255.252 would only allow for two devices (i.e. the servers own IP address and one IP address for a client), but my TP-Link router for example refuses that netmask. The next best one would be 255.255.255.248, which allows for 6 addresses to be assigned (10.8.0.1 - 10.8.0.6). The entry for the Windows Firewall would then change to 10.8.0.0/29.
a_pensive_panda wrote
Side note: when trying the bookmarked device name on Windows, it doesn't work. I also noticed that my SMB connection through the android device still won't play along either. Not sure if I have to change the host address. It's configured to contact the host at: smb//192.168.0.XXX with SMB2/3.
Yes, using Windows hostnames (computer names) will not work over the OpenVPN connection. At least I don't know how to make it work.
What is the name of the app you use on the Android device? In the file manager apps I use I just enter the IP address of the computer in my home network that I want to reach. That is no different to using a Windows computer.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2459
Replies: 7
Voters 0
No one has voted for it yet.