OpenVPN Server - Can't access to other devices on the TrueNAS Network // Routing issue ?

[Raowlz]

Hello !

I spent a lot of time trying to figure out my mistake, but I'm overloading, I need your help. I will try to summarize my actions. But if any of you can help me I would be very grateful!
My Issue : When I'm connected to the VPN, I can reach my TrueNAS Server (the VPN server) but can't reach other devices on the same network.


My home network : 192.168.1.0/24
My IPS router : 192.168.1.254
My TrueNAS : 192.168.1.5

I've created CA & Certificate without Issue.

Find below my OpenVPN configuration :

With this configuration, I can reach the TrueNAS server on 10.10.0.1 and I have internet access from the IPS where I'm connect (Spli tunneling).

So, I've try to add this in Additionnal Parameters

local 192.168.1.5
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.5 255.255.255.0 10.10.0.1

Now I can access to the NAS with the Local IP (192.168.1.5), but I cannot reach all other devices on the network.

So I've tried to add "gateway_enable" in the "System > Tunable" but same issue (even after a restart).
I've also try to add rules in the TrueNAS FW, same issue.(As explained here)

If someone have idea, I'll be very happy to test it

Many thanks

 

[jgreco]

Does the rest of your network have a return path for the traffic? If the rest of the network does not know how to get to 10.10.0.0/24, their return traffic is probably going out towards the Internet.

You need to have something creating a route for the return traffic. This can either be a manually configured route on each device on the network, or you can do it at the upstream gateway. Each has pros and cons.

 

[Raowlz]

No, I don't have create a route on my router.
But, I don't understand, my OpenVPN works fine from a Synology NAS on the same network. I can't do the same from my TrueNAS.
With OpenVPN on Synology, I think the route is created automaticaly.

I've try to do a "route add" from my Windows 10 client, but same issue. If someone can help me to find the solution I'll be happy.

Thanks

 

[jgreco]

Is your Synology-based OpenVPN perhaps a TAP VPN instead of a TUN VPN?

 

[Raowlz]

To be honest I don't know, this is the default OpenVPN App, and you can't choose between TUN or TAP.

 

[jgreco]

Okay, well, then, I don't know either. If you have a TAP VPN, you are mostly emulating a direct ethernet connection to the local network, so it is easy to pick up routing clues from DHCP or RA. If you have a TUN VPN, those operate on a separate IP subnet, and your routing environment needs to be coherent in order for it to work correctly. Every time I hear someone kvetching about OpenVPN reachability issues, whether on FreeNAS or elsewhere, it is almost always lack of return path routing that is the issue.

 

[rasalone]

I would try to narrow down what direction to look at with a tcpdump and look for the traffic on the ethernet interface connected to the lan. If it goes out but not back you will want to look closer at that return route. If you never got the packet to show up there you still didn't get freebsd to enable gateway or client vpn config.

 

[Pawulon]

OK, it seems that I have the same problem...

My configuation is:

Home network : 192.168.33.0

• VPN server: 192.168.33.33 (freeNAS/)
• DNS server: 192.168.33.101 (PiHole)
• DHCP server: 192.168.33.1 (home router/gateway)

VPN network: 192.168.22.0

• VPN Gateway: 192.168.22.1

Static ROUTE:

• on home outer: 192.168.22.0 to gateway 192.168.33.33
• on VPN server (Free NAS) - 192.168.22.0 to gateway 192.168.33.33
• on VPN client 192.168.33.0 to gateway 192.168.22.1

At client normal configuration internet is working, ane there is only access to 192.168.22.1 router.

I would like that client be able to:

• see all hosts at home network
• use home network DNS server

Additional VPN client config:

push "route 192.168.33.0 255.255.255.0 192.168.22.1" ; Static ROUTE to from VPN network to home network via 192.168.22.1 VPN gateway​

​

push "redirect-gateway def1 bypass-dhcp" ; if I enable this option, at VPN client The internet stops working, and there is access to 192.168.33.33 VPN serwer​

;push "redirect-gateway autolocal"​

​

push "dhcp-option DNS 192.168.33.33" ​

push "dhcp-option DNS 192.168.33.1" ; DNS are set on VPN client, bo client cant see them.​

push "dhcp-option DNS 192.168.22.1"​

;push "dhcp-option DNS 192.168.33.101"​

​

 

[Pawulon]

Connected VPN Client route table

 

[Pawulon]

Static Outre from home network to VPN network via VPN server.