openVPN: no home network access - Security

This is a discussion on openVPN: no home network access - Security ; I have an openVPN network ready. Got a connection from my mobile laptop. (initialized. TAP Windows32 Adapter V8 connected) I didn't get my Windows network visible from the road. openVPN is on a Linux firewall pc. This firewall is between ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: openVPN: no home network access

  1. openVPN: no home network access

    I have an openVPN network ready.
    Got a connection from my mobile laptop.
    (initialized. TAP Windows32 Adapter V8 connected)

    I didn't get my Windows network visible from the road.

    openVPN is on a Linux firewall pc.
    This firewall is between my home network and the internet.

    Has anybody a hint what could be wrong?

    Best
    Juergen



  2. Re: openVPN: no home network access

    Juergen Loewner wrote:
    > I have an openVPN network ready.
    > Got a connection from my mobile laptop.
    > (initialized. TAP Windows32 Adapter V8 connected)
    >
    > I didn't get my Windows network visible from the road.
    >
    > openVPN is on a Linux firewall pc.
    > This firewall is between my home network and the internet.
    >
    > Has anybody a hint what could be wrong?


    The Windows network is a strictly LAN network by
    default - unless specially configured, it works
    in the single subnet only.

    I guess that the OpenVPN tunnel inside address is
    not in the same subnet as the Windows computers,
    and/or the tunnel is not bridged with the local
    network.

    --

    Tauno Voipio
    tauno voipio (at) iki fi


  3. Re: openVPN: no home network access

    Hi Tauno!

    Innner tunnel???
    Whats that?
    How to set the address(range)?

    Firewall is on 1.2.3.4
    Internal net ethercards is 1.2.4.254
    Net: 1.2.4.0/24

    Is the inner tunnel (I assume the 10.8.0.1 set by:
    server 10.8.0.0 255.255.255.0
    in the server.conf)
    to be set to (for my example)
    server 1.2.4.0 255.255.255.0
    ??

    Best
    Juergen

    "Tauno Voipio" schrieb im Newsbeitrag
    news:WYSig.97$Kd6.28@read3.inet.fi...
    > Juergen Loewner wrote:
    >> I have an openVPN network ready.
    >> Got a connection from my mobile laptop.
    >> (initialized. TAP Windows32 Adapter V8 connected)
    >>
    >> I didn't get my Windows network visible from the road.
    >>
    >> openVPN is on a Linux firewall pc.
    >> This firewall is between my home network and the internet.
    >>
    >> Has anybody a hint what could be wrong?

    >
    > The Windows network is a strictly LAN network by
    > default - unless specially configured, it works
    > in the single subnet only.
    >
    > I guess that the OpenVPN tunnel inside address is
    > not in the same subnet as the Windows computers,
    > and/or the tunnel is not bridged with the local
    > network.
    >
    > --
    >
    > Tauno Voipio
    > tauno voipio (at) iki fi
    >




  4. Re: openVPN: no home network access

    > "Tauno Voipio" schrieb im Newsbeitrag
    > news:WYSig.97$Kd6.28@read3.inet.fi...
    >
    >>Juergen Loewner wrote:
    >>
    >>>I have an openVPN network ready.
    >>>Got a connection from my mobile laptop.
    >>>(initialized. TAP Windows32 Adapter V8 connected)
    >>>
    >>>I didn't get my Windows network visible from the road.
    >>>
    >>>openVPN is on a Linux firewall pc.
    >>>This firewall is between my home network and the internet.
    >>>
    >>>Has anybody a hint what could be wrong?

    >>
    >>The Windows network is a strictly LAN network by
    >>default - unless specially configured, it works
    >>in the single subnet only.
    >>
    >>I guess that the OpenVPN tunnel inside address is
    >>not in the same subnet as the Windows computers,
    >>and/or the tunnel is not bridged with the local
    >>network.
    >>
    >>--
    >>
    >>Tauno Voipio
    >>tauno voipio (at) iki fi


    Juergen Loewner wrote:
    > Hi Tauno!
    >
    > Innner tunnel???
    > Whats that?
    > How to set the address(range)?
    >
    > Firewall is on 1.2.3.4
    > Internal net ethercards is 1.2.4.254
    > Net: 1.2.4.0/24
    >
    > Is the inner tunnel (I assume the 10.8.0.1 set by:
    > server 10.8.0.0 255.255.255.0
    > in the server.conf)
    > to be set to (for my example)
    > server 1.2.4.0 255.255.255.0


    A tunnel means that network packets are wrapped into
    other network packets and sent to the other end of the
    connection. This is what VN's (Virtual Networks do).
    The 'private' part (of VPN) means that the network packet
    to be shipped is encrypted before packing into the
    wrapper packet.

    A VPN interface has two sets of addresses:

    - the addresses at each end of the subnet whose packets
    are handled as payload (inside of the tunnel),

    - the addresses at each end of the public net used to
    connect the tunnel ends together.

    A default OpenVPN installation uses UDP/1194 for the outside ports
    and, of course, the public addresses of the gateway computers.

    There are two alternatives for the tunnel inside:

    - the tun interface which transports IP packets, and which
    have to be routed properly into and out of the tunnel at
    each end,

    - the tap interface which transports Ethernet packets. To connect
    networks together, usually the interfaces have to be bridged
    to make all Ethernet frames traverse the tunnel.

    To make the Windows network visible, you have either to use the
    tap interface or set up the network for routed network (for details,
    ask from a Windows group, it greek to me).

    HTH

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  5. Re: openVPN: no home network access

    "Juergen Loewner" wrote in news:e6gru4$vsr$1
    @news.citykom.de:

    > I have an openVPN network ready.
    > Got a connection from my mobile laptop.
    > (initialized. TAP Windows32 Adapter V8 connected)
    >
    > I didn't get my Windows network visible from the road.
    >
    > openVPN is on a Linux firewall pc.
    > This firewall is between my home network and the internet.
    >
    > Has anybody a hint what could be wrong?


    Could be all sorts of things.

    Are you pushing the route for the home network out to the OpenVPN client?

    In the OpenVPN server config, you need a line something like:

    push "route 192.168.0.0 255.255.255.0"

    Also you will need Netfiler rules to allow the Windows networking protocol to
    get through. If you are not using a WINS server then you may have trouble
    with netbios name resolution on the remote client - you might have to add
    entries to the windoze system32\drivers\etc\hosts file.

    Klazmon.



    >
    > Best
    > Juergen
    >
    >



  6. Re: openVPN: no home network access

    Kazmon,
    I have done that.
    But it didn't work so far.

    I have to say the firewall which also holds openvpn
    has several interfaces:
    1) internet (83.82.81.1)
    2) intern lan (192.168.100.x)
    3) dmz (83.82.81.x)
    4) wlan (192.168.101.x)

    all subnets are reached bfrom any other inside
    the firewall allows only access to dmz from outside

    I am just trying the bridge setup.

    The bridge is bound to 192.168.100.x
    does anybody know if o have to bind the bridge to the
    other subnets explicitly?

    Best
    Juergen


    "Llanzlan Klazmon" schrieb im Newsbeitrag
    news:Xns97E37ABB7B8F6Klazmonllurdiaxorbgo@203.97.3 7.6...
    > "Juergen Loewner" wrote in news:e6gru4$vsr$1
    > @news.citykom.de:
    >
    >> I have an openVPN network ready.
    >> Got a connection from my mobile laptop.
    >> (initialized. TAP Windows32 Adapter V8 connected)
    >>
    >> I didn't get my Windows network visible from the road.
    >>
    >> openVPN is on a Linux firewall pc.
    >> This firewall is between my home network and the internet.
    >>
    >> Has anybody a hint what could be wrong?

    >
    > Could be all sorts of things.
    >
    > Are you pushing the route for the home network out to the OpenVPN client?
    >
    > In the OpenVPN server config, you need a line something like:
    >
    > push "route 192.168.0.0 255.255.255.0"
    >
    > Also you will need Netfiler rules to allow the Windows networking protocol
    > to
    > get through. If you are not using a WINS server then you may have trouble
    > with netbios name resolution on the remote client - you might have to add
    > entries to the windoze system32\drivers\etc\hosts file.
    >
    > Klazmon.
    >
    >
    >
    >>
    >> Best
    >> Juergen
    >>
    >>

    >




  7. Re: openVPN: no home network access

    "Juergen Loewner" wrote in
    news:e6s949$j8u$1@news.citykom.de:

    > Kazmon,
    > I have done that.
    > But it didn't work so far.


    To prove it. Establish the OpenVPN connection from the client. Then from
    the Windoze command prompt do a:

    route print

    If you compare the output of this command before and after starting the
    OpenVPN client you can check that the route for the internal lan
    192.168.100.0/24 is being learned by the Windoze client. If it is, then you
    then have the issue of name resolution. If the client PC is trying to for
    example connect to a Windoze drive share by name then that will not work
    unless as I said you put the host name in the Windows hosts file. The only
    way around this is to either set up Samba as WINS server (or even use a
    real WINS server if you must) or don't use the name use the ip address. e.g
    enter into the windoze run command:

    \\192.168.100.x\sharename

    If it still doesn't work then you will have to start looking at stuff on
    the Linux OpenVPN server. e.g do your iptables rules in the FORWARD chain
    allow the source address of the OpenVPN client to get through to the
    required internal addresses and ports. If you don't know what the source
    address is then either check the OpenVPN config or again after establishing
    the OpenVPN tunnel on the client do from the client Windoze prompt:

    ipconfig /all

    That should show what ip address OpenVPN has assigned for the use as the
    source address of stuff coming in over the tunnel. Don't confuse it with
    the real public IP address that the ISP provided for the internet
    connection that will belong to the physical interface listed by the above
    command.


    >
    > I have to say the firewall which also holds openvpn
    > has several interfaces:
    > 1) internet (83.82.81.1)
    > 2) intern lan (192.168.100.x)
    > 3) dmz (83.82.81.x)
    > 4) wlan (192.168.101.x)
    >
    > all subnets are reached bfrom any other inside
    > the firewall allows only access to dmz from outside
    >
    > I am just trying the bridge setup.
    >
    > The bridge is bound to 192.168.100.x
    > does anybody know if o have to bind the bridge to the
    > other subnets explicitly?


    I didn't realise you were configuring a layer 2 bridge. Why would you do
    that in this case?

    Klazmon.





    >
    > Best
    > Juergen
    >
    >
    > "Llanzlan Klazmon" schrieb im Newsbeitrag
    > news:Xns97E37ABB7B8F6Klazmonllurdiaxorbgo@203.97.3 7.6...
    >> "Juergen Loewner" wrote in news:e6gru4$vsr$1
    >> @news.citykom.de:
    >>
    >>> I have an openVPN network ready.
    >>> Got a connection from my mobile laptop.
    >>> (initialized. TAP Windows32 Adapter V8 connected)
    >>>
    >>> I didn't get my Windows network visible from the road.
    >>>
    >>> openVPN is on a Linux firewall pc.
    >>> This firewall is between my home network and the internet.
    >>>
    >>> Has anybody a hint what could be wrong?

    >>
    >> Could be all sorts of things.
    >>
    >> Are you pushing the route for the home network out to the OpenVPN
    >> client?
    >>
    >> In the OpenVPN server config, you need a line something like:
    >>
    >> push "route 192.168.0.0 255.255.255.0"
    >>
    >> Also you will need Netfiler rules to allow the Windows networking
    >> protocol to
    >> get through. If you are not using a WINS server then you may have
    >> trouble with netbios name resolution on the remote client - you might
    >> have to add entries to the windoze system32\drivers\etc\hosts file.
    >>
    >> Klazmon.
    >>
    >>
    >>
    >>>
    >>> Best
    >>> Juergen
    >>>
    >>>

    >>

    >
    >
    >



  8. Re: openVPN: no home network access

    Hi Kazman,

    I started with the tun device.
    I had problems with the different subnets.
    So I switched to a bridge config.

    Thats just changing 3 or 4 lines in the
    config files. and 2 lines insthe openvpn
    script.

    BTW: I used ipconfig / route print etc
    to check if routes set py push are ok.

    Do you have an idea how to check openvpn
    in my config from inside the net?

    Best
    Juergen

    "Llanzlan Klazmon" schrieb im Newsbeitrag
    news:Xns97E48A7D04CF6Klazmonllurdiaxorbgo@203.97.3 7.6...
    > "Juergen Loewner" wrote in
    > news:e6s949$j8u$1@news.citykom.de:
    >
    >> Kazmon,
    >> I have done that.
    >> But it didn't work so far.

    >
    > To prove it. Establish the OpenVPN connection from the client. Then from
    > the Windoze command prompt do a:
    >
    > route print
    >
    > If you compare the output of this command before and after starting the
    > OpenVPN client you can check that the route for the internal lan
    > 192.168.100.0/24 is being learned by the Windoze client. If it is, then
    > you
    > then have the issue of name resolution. If the client PC is trying to for
    > example connect to a Windoze drive share by name then that will not work
    > unless as I said you put the host name in the Windows hosts file. The only
    > way around this is to either set up Samba as WINS server (or even use a
    > real WINS server if you must) or don't use the name use the ip address.
    > e.g
    > enter into the windoze run command:
    >
    > \\192.168.100.x\sharename
    >
    > If it still doesn't work then you will have to start looking at stuff on
    > the Linux OpenVPN server. e.g do your iptables rules in the FORWARD chain
    > allow the source address of the OpenVPN client to get through to the
    > required internal addresses and ports. If you don't know what the source
    > address is then either check the OpenVPN config or again after
    > establishing
    > the OpenVPN tunnel on the client do from the client Windoze prompt:
    >
    > ipconfig /all
    >
    > That should show what ip address OpenVPN has assigned for the use as the
    > source address of stuff coming in over the tunnel. Don't confuse it with
    > the real public IP address that the ISP provided for the internet
    > connection that will belong to the physical interface listed by the above
    > command.
    >
    >
    >>
    >> I have to say the firewall which also holds openvpn
    >> has several interfaces:
    >> 1) internet (83.82.81.1)
    >> 2) intern lan (192.168.100.x)
    >> 3) dmz (83.82.81.x)
    >> 4) wlan (192.168.101.x)
    >>
    >> all subnets are reached bfrom any other inside
    >> the firewall allows only access to dmz from outside
    >>
    >> I am just trying the bridge setup.
    >>
    >> The bridge is bound to 192.168.100.x
    >> does anybody know if o have to bind the bridge to the
    >> other subnets explicitly?

    >
    > I didn't realise you were configuring a layer 2 bridge. Why would you do
    > that in this case?
    >
    > Klazmon.
    >
    >
    >
    >
    >
    >>
    >> Best
    >> Juergen
    >>
    >>
    >> "Llanzlan Klazmon" schrieb im Newsbeitrag
    >> news:Xns97E37ABB7B8F6Klazmonllurdiaxorbgo@203.97.3 7.6...
    >>> "Juergen Loewner" wrote in news:e6gru4$vsr$1
    >>> @news.citykom.de:
    >>>
    >>>> I have an openVPN network ready.
    >>>> Got a connection from my mobile laptop.
    >>>> (initialized. TAP Windows32 Adapter V8 connected)
    >>>>
    >>>> I didn't get my Windows network visible from the road.
    >>>>
    >>>> openVPN is on a Linux firewall pc.
    >>>> This firewall is between my home network and the internet.
    >>>>
    >>>> Has anybody a hint what could be wrong?
    >>>
    >>> Could be all sorts of things.
    >>>
    >>> Are you pushing the route for the home network out to the OpenVPN
    >>> client?
    >>>
    >>> In the OpenVPN server config, you need a line something like:
    >>>
    >>> push "route 192.168.0.0 255.255.255.0"
    >>>
    >>> Also you will need Netfiler rules to allow the Windows networking
    >>> protocol to
    >>> get through. If you are not using a WINS server then you may have
    >>> trouble with netbios name resolution on the remote client - you might
    >>> have to add entries to the windoze system32\drivers\etc\hosts file.
    >>>
    >>> Klazmon.
    >>>
    >>>
    >>>
    >>>>
    >>>> Best
    >>>> Juergen
    >>>>
    >>>>
    >>>

    >>
    >>
    >>

    >




+ Reply to Thread