Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untanglit
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    26

    Question Reach OpenVPN clients directly from a private network

    Mission:
    Enable internal subnet on a single Untangle network that runs the openvpn server to have network access to remote clients. ie. Can ping, rdp, ssh, from internal lan to remote client openvpn subnet

    What's working:
    My Untangle OpenVPN is setup to allow remote clients and they have access to all internal subnet resources.

    What's not working:
    No access from internal subnet to remote OpenVPN clients. So it's a one way route.

    I have a basic idea what I need to do but having a hard time mapping that into the Untangle interface -- reaching the limits of my mental capacity.

    I found this on the OpenVPN site and seems exactly what I need, but again, my limited knowledge on this makes it hard to figure out where excactly I need to make this happen within the Untangle interface.

    "To enable two-way traffic using routing, go to VPN Settings, Should VPN clients have access to private subnets, and set the option to yes, using routing (advanced) instead. Leave the check mark in the Allow access from these private subnets to all VPN client IP addresses and subnets checkbox. Then save settings and update running servers. That completes the configuration from the Access Server side. You may notice that if you try the connection now it may appear to fail. Appear to, because most likely the traffic now is actually making it from the VPN clients to a target in the private network just fine, but the target network may not have a clue on how to respond to traffic coming from a subnet (the VPN client subnet) that is unknown to it.

    To make things work properly again now you have to look up the static route table in the default gateway system in your private network. If your VPN client subnet is for example 172.16.47.0/24, and your OpenVPN Access Server installation is at IP address 192.168.47.222 then add this static route:

    Network 172.16.47.0 with subnet mask 255.255.255.0 to go through gateway 192.168.47.222 "


    Any guidance would be greatly appreciated.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    I didn't digest all of this, but I think you can export the external network. Separate them with commas in the field.

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    And the answer might also be adding the route directive in OpenVPN [advanced] client config. I forget how I did it, and I'll need to do some research.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    OpenVPN app, settings button...

    Server tab...

    UNCHECK: NAT OpenVPN Traffic.

    Make a note of the Address space IP range.

    Switch to the Exported Networks tab, ADD the exported networks range.

    Now... that solves the IP level stuff... and makes your VPN bidirectional... BUT, Windows firewall will KICK YOUR ARSE.

    Windows firewall by default will not accept even a PING from a private network that isn't local to the machine in question. That's why that NAT box is enabled... The LAN machines see UNTANGLE doing all the connecting... not the devices beyond it. BUT, you need to see those devices beyond if you want to be able to communicate with them directly.

    *IF* you're using a domain, you can solve this by adding the OpenVPN address pool IP range to Active Directory Sites and Services, because then machines on that IP range will use the DOMAIN Firewall profile by default. That profile allows for the usual suspects to work, like file and print sharing, ping, etc. The point is you need this traffic to be in a PRIVATE profile on the firewall, and by default the VPN is PUBLIC!

    But that's a group policy change, and it takes time to propagate... so in the meantime be ready to beat on the Windows Firewall ON BOTH ENDS if you do what I suggested above. If you don't have Active Directory or InTune to do this properly, you're going to have to configure the Windows firewall manually to trust all the IP ranges in question.

    If you're not using a Microsoft OS, similar things can happen, just beware of software firewalls on the endpoints.
    Last edited by sky-knight; 05-22-2020 at 11:24 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Oh, yeah completely forgot about NAT.

  6. #6
    Untanglit
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    26

    Default

    Quote Originally Posted by sky-knight View Post
    OpenVPN app, settings button...
    Server tab...
    UNCHECK: NAT OpenVPN Traffic.
    Make a note of the Address space IP range.
    Switch to the Exported Networks tab, ADD the exported networks range.
    Now... that solves the IP level stuff... and makes your VPN bidirectional... BUT, Windows firewall will KICK YOUR ARSE.
    Bam! That did the trick perfectly. Everything is talking to one another the way I wanted. Once again, thank you!

  7. #7
    Untanglit
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    26

    Default

    Quote Originally Posted by Jim.Alles View Post
    I didn't digest all of this, but I think you can export the external network. Separate them with commas in the field.
    You can use the GUI via the "add" button which makes it idiot proof for syntax. I'll attach a quick snap here as I'm sure others might want to do the same in the future and may stumble on this post:

    vpn.jpg
    Jim.Alles likes this.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    Yep, that's it exactly.

    Once that's done if things don't work blame the local firewall. Or the Untangle one... if you configure it to block stuff.

    Oh, one more thing, the VPN client's name? That's a "username" as far as the firewall module is concerned. So if you want to control what goes into and out of the VPN clients, you can do so via name in the Firewall app.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untanglit
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    26

    Default

    Quote Originally Posted by sky-knight View Post
    Once that's done if things don't work blame the local firewall. Or the Untangle one... if you configure it to block stuff.
    Yeah already setting up the windows firewall crap as I type this.

    Quote Originally Posted by sky-knight View Post
    Oh, one more thing, the VPN client's name? That's a "username" as far as the firewall module is concerned. So if you want to control what goes into and out of the VPN clients, you can do so via name in the Firewall app.
    That's an awesome tip! Thank you! I definitely will be mucking around with this. Your help on my last couple of posts have brought my VPN configuration to completion. Now all that's left is to suffer a catastrophic hardware failure which will give me an excuse to upgrade to 15.1 sooner than later

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    It's Untangle, backup the configuration... 15.0 backups will restore on 15.1.

    The first time you do a full juggle of Untangle from one platform to another including license transfer will take you about 45min.

    After that? Well... I've done total system rebuilds in as little as 15min personally. Restoring from bare metal to a VM, moving off a VM back to bare metal, jumping from 32bit to 64bit and back again... doesn't matter. Untangle restores navigate all of it very well, I remember the days they didn't... I don't miss them.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2