1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN: ssh to a computer on the local network

Discussion in 'Tomato Firmware' started by vinhdizzo, Dec 23, 2010.

  1. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Hi everyone,

    I don't think this is the best place to be asking an OpenVPN question, but since i have OpenVPN set up on my Tomato router, I figure I'd give it a shot.

    I have OpenVPN set up per the wiki. In addition, I added authentication to the setup as outlined by this post; I thus use SSL and password authentication.

    When I am on an outside network, I use OpenVPN on my laptop to VPN to my home network. On the web browser, I can point to 192.168.1.1 and I can control the router. However, when I ssh to 192.168.1.70, a local computer on the network, things do not work. My VPN submask is 10.8.0.0.

    Shouldn't I be able to ssh to a local computer on the network? If not, why? Can I make it so I can? I'm actually not that savvy with networking so I'm probably misunderstanding things. Thanks so much.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, you should be able to. Can you communicate with LAN devices at all (ping, etc)? Is it possible that the target device has a firewall that's blocking you? The local IP address of the client (not the VPN IP, but the IP address of the local LAN where you're connecting from) doesn't happen to be on the 192.168.1.x subnet, does it? Can you post the routing table from the client when connected to the VPN?
     
  3. vinhdizzo

    vinhdizzo Networkin' Nut Member

    No, I wasn't able to ping to the other devices.

    No, my IP (once I VPN is on) is 10.8.0.6 (subnet is 10.8.0.0 as mentioned before). Is this the reason why?

    I've never dealt with routing table, but is this what you are looking for?

    Code:
    $ ip route show dev tun21 table local
    local 10.8.0.6  proto kernel  scope host  src 10.8.0.6 
    $ ip route show dev tun21
    10.8.0.5  proto kernel  scope link  src 10.8.0.6 
    10.8.0.1 via 10.8.0.5 
    192.168.1.0/24 via 10.8.0.5 
    $ ip route show dev wlan0
    192.168.2.0/24  proto kernel  scope link  src 192.168.2.100  metric 2 
    169.254.0.0/16  scope link  metric 1000 
    default via 192.168.2.254  proto static 
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To reiterate, I was asking for the local IP (the ip on the local LAN of the client), not the VPN IP. If it is indeed on the same subnet as the VPN or your server LAN, then it is the problem. All three need to be distinct from each other.
     
  5. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Ahh, my local ip tethering through the phone is 192.168.2.100 (this is what I'm using to test). My home network is 192.168.1.*. I just changed my settings on the phone, and my new local IP is 172.20.21.100. I'm still not able to ping or ssh to 192.168.1.70 (home network).

    Thanks.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Things look fine on the client. Is the VPN server router the default gateway for the computer you're trying to connect to?
     
  7. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Not exactly sure what you mean by this (sorry!). When I'm on the local network, I just ssh to 192.168.1.70 and things work. When I VPN to home network, things do not work.

    If you can be kind enough as to explain what you mean then I can try my best to answer it. Thanks!
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What does the topology look like on your LAN? Does the Internet traffic for 192.168.1.70 go through the router you configured as the VPN server, or are there other routers involved?
     
  9. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Hopefully I am answering your question.

    I have one main router running tomato (192.168.1.1) that is connected to an ONT box for FiOS internet connection. 192.168.1.70 is connected to this router via the a WIRED connection. Yes, it is getting internet from the tomato router. I also have 3 dd-wrt routers acting as wireless bridges to this main router.

    Thanks.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, can you post the routing table from the Tomato router (route -n)?
     
  11. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Code:
    Kernel IP routing table 
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
    10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun21 
    173.51.???.?    0.0.0.0         255.255.255.255 UH    0      0        0 vlan2 
    68.238.???.??   173.51.???.?    255.255.255.255 UGH   0      0        0 vlan2 
    68.238.??.??    173.51.???.?    255.255.255.255 UGH   0      0        0 vlan2 
    173.51.129.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan2 
    10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21 
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0 
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo 
    0.0.0.0         173.51.???.?    0.0.0.0         UG    0      0        0 vlan2 
    
    Let me know if you would also like the table when I VPN into the router.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I don't know why it's not working for you. :frown:
     
  13. Engineer

    Engineer Network Guru Member

    In your OpenVPN configuration, try changing the:

    dev tun21

    to

    dev tap

    and see if it now works.
     
  14. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Same results for this.


    The funniest thing is this. I can ping a laptop that is connected wirelessly to my router (just successfully tried it; ssh does not work; VNC does however). However, I cannot ping my NAS that is connected to the router with a wired connection.

    I find this very odd. Can anyone help me figure out what's wrong?
     
  15. vinhdizzo

    vinhdizzo Networkin' Nut Member

    The working ping works under the TUN setting, not TAP.
     
  16. Engineer

    Engineer Network Guru Member

    Sorry, did you also change the VPN setting in your router from TUN to TAP ?
     
  17. vinhdizzo

    vinhdizzo Networkin' Nut Member

    yes i did. I changed it in the router and in the config file. TAP does not work for me at all (could not connect to router from web browser). Could not ping any computer.
     
  18. Engineer

    Engineer Network Guru Member

    Hmm....don't know then. I have mine on a Tap setup and it works fine for everything I've tried.

    By the way, what IP did the Tap adapter (OpenVPN client on the PC) receive when changing the router to TAP as well as the client to Tap? Was it in the 192.168.1.xx range?

    For reference, I get an IP for the OpenVPN adapter (TAP) in the same range as my home network (192.168.5.xx) because it is set by DHCP on the VPN side of the router.

    Here is my OpenVPN config with IP address removed (I didn't get it from that Wiki because I didn't know the Wiki existed, lol)....

    Code:
    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    dev tap
    ;dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    dev-node OpenVPN
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    ;proto tcp
    proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote IP-ADDRESS-HERE 1194
    ;remote my-server-2 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca c:\\temp\\keys\\ca.crt
    cert c:\\temp\\keys\\client1.crt
    key c:\\temp\\keys\\client1.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ns-cert-type server
    
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    
    # Set log file verbosity.
    verb 3
    
    # Silence repeating messages
    ;mute 20
    
    [​IMG]

    [​IMG]
     
  19. Engineer

    Engineer Network Guru Member

    Bump for the information that I just added above (should have posted new).
     
  20. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Thank you Engineer and SgtPepperKSU for your help. I think I figured out what's going on. I was very puzzled that I was able to ping to one of my computer and not the other. I suddenly remember that I have PeerGuardian/MoBlock installed on the computer that I could not ping/ssh to. After shutting down this service, I am able to connect to it via my original configurations (TUN).

    I have no idea why I can't ping or ssh to the server on VPN though as I am able to on the local network. I can also ssh to it when away since I have port-forwarding on on the router. Do you have any ideas (if you use peerguardian)?

    Also, should I just keep my TUN config or should I be using TAP. Not sure on the differences.
     
  21. Engineer

    Engineer Network Guru Member

    TAP is more like a direct Ethernet connection to the other PC's on the network where TUN is an IP connection to the rest of the network. A good comparison that I read was that TAP is like a long Ethernet cable between Client and Server and TUN is like a T1 connection between Client and Server. Tap is on a different network layer than Tun. I'm not a network guy so that's the best that I can explain it.

    Glad it's working for you. :)
     

Share This Page