28 replies to this topic

[jpuigs]

--------------------------------------------------------------------------
| HOUSE 1 (LAN 1)  192.168.0.0/24                                        |
|   ---------------                                                      |
|  |Router 1       |------------------------------------                 |
|  |192.168.0.1    |                                   |                 |
|   ----------------                                   |                 |
|          |                                           |                 |
|   ----------------------              -------------------------------  |
|  |Win 10        (PC)   |             |Enigma Boxes                   | |
|  |LAN IP: 192.168.0.2  |             |LAN: 192.168.0.10 to ...0.16   | |
|  |OpenVPN IP: 10.9.0.2 |             |                               | |
|   ----------------------              -------------------------------  |
|                                                                        |
--------------------------------------------------------------------------

 

 

--------------------------------------------------------------------------
| HOUSE 2 (LAN 2) 192.168.1.0/24                                         |
|   ---------------                                                      |
|  |Router 2       |------------------------------------                 |
|  |192.168.1.1    |-------                            |                 |
|   ----------------      |                            |                 |
|                         |                            |                 |
|      ---------------------------      -------------------------------  |
|      |IP-Cam     192.168.1.44  |     |OsMio+ 4K  192.168.1.16        | |
|      |                         |     |OpenVPN server                 | |
|      |                         |     |OpenVPN IP: 10.9.0.1           | |
|      ---------------------------      -------------------------------  |
|                                                                        |
--------------------------------------------------------------------------

 

 

I'm in HOUSE 1, and I want to access devices in HOUSE 2, where I configure a openvpn server in a OsMio+ box , tun mode.

I add:  push "route 192.168.1.0 255.255.255.0" to server config.

 

On HOUSE 1, I connect to HOUSE 2 server, and I get a OVPN IP: 10.9.0.2

The only thing I can access on HOUSE 2 is the OpenVPN server(The OsMio+ box), either using 192.168.1.16 or 10.9.0.1 .

But I can't access other 192.168.1.X devices (router, cameras,....)

 

If I do the same, using a Raspberry as a server (IP 192.168.1.254) instead of Edision Enigma box, I can access all machines on 192.168.1.X.

 

What I'm doing wrong ???  Is anything difrerent on enigma than on Rasperry ??

 

 

 

Edited by jpuigs, 9 December 2020 - 02:33.

[jpuigs]

I forgot to say that.........

root@osmio4kplus:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@osmio4kplus:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

root@osmio4kplus:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 5C:FA:00:00:1C:94
          inet addr:192.168.1.16  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11153 errors:0 dropped:256 overruns:0 frame:0
          TX packets:13895 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:777283 (759.0 KiB)  TX bytes:922368 (900.7 KiB)
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:824 (824.0 B)  TX bytes:824 (824.0 B)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.9.0.1  P-t-P:10.9.0.1  Mask:255.255.255.0
          inet6 addr: fe80::6e5c:dbd1:d63f:6486/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:168 (168.0 B)

Edited by jpuigs, 9 December 2020 - 10:40.

[WanWizard]

The other devices don't know the route back.

 

Give router 2 a static route "10.0.9.0/24 next hop 192.168.1.16" so that when that camera gets a packet with source IP 10.0.9.2, it will send the reply to router 2, and router 2 will forward it to the OS Mio.

[jpuigs]

Thanks.

 

I don't know how to set "next hop".

Here is the static route configurator.

 

 router2-1.jpg   111.2KB   2 downloads

 

 

I've added what you see in picture, and then all routes are as follow:

 

 router2-2.jpg   96.71KB   2 downloads

 

Is it correct ?

 

 

...... and Why don't I need to do it, when  the OVPN server is a Raspberry ?

 

 

[WanWizard]

I think in that config, "gateway" is indeed the next hop address.

 

If you replace the OS Mio by a RasPi, you still need to do this. There is no way the IP-Cam would know the route to 10.9.0.0/24.

 

Are you sure you didn't use a TAP interface in that case, instead of a TUN interface? Which would give the client a 192/168.2.x address, which the IP-Cam could reach (as it is local).

[jpuigs]

I think in that config, "gateway" is indeed the next hop address.

 

It works....  

 

 

If you replace the OS Mio by a RasPi, you still need to do this. There is no way the IP-Cam would know the route to 10.9.0.0/24.

 

I can assure you that it worked.

It was from Home 2 to Home 1

Rasp PI3 is in Home 1, and on Home 2 I can connect using a W10 laptop (it gets IP 10.8.0.2) , and I can see all enigma boxes using their real 192.168.0.X addresses.

 

 

 

Are you sure you didn't use a TAP interface in that case, instead of a TUN interface? Which would give the client a 192/168.2.x address, which the IP-Cam could reach (as it is local).

 

 

 

No.

I commented here... https://forums.openp...penvpn-configs/

port XXXXXX
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"

It's a X-File ??????

Edited by jpuigs, 10 December 2020 - 02:01.

[WanWizard]

Rasp PI3 is in Home 1, and on Home 2 I can connect using a W10 laptop (it gets IP 10.8.0.2) , and I can see all enigma boxes using their real 192.168.0.X addresses.

 

I have no explanation. There is no way the boxes wouldn't know the way to 10.8.0.2 without addditional actions.

 

They will send packets to the default gateway for IP's outside the local LAN (which I assume is the router and not the RasPi) and the router will drop them is it doesn't have a route and will not send RFC1918 addresses to the internet.

 

It will work if the RasPi is the default gateway in the Home 1 LAN, or if both RasPi and router talk some routing protocol like RIP.

[jpuigs]

You have no explanation...................I don't have it either

Why do you think I asked for help yesterday ? Because when I configured the first VPN I had no problem because it worked from first moment.

 

Now I'm in HOUSE 1 (it's not on first post drawing, but here I have a raspi3b as a ovpn server ...0.254 ) and using laptop and a 4G (LTE) internet connection I've checked AGAIN that I can connect to all devices on HOUSE 1, and router has no added lines...

 

Rasp IP is 192.168.0.254, and of course, it's not the defalut gateway... it's 192.168.0.1

 

 router1.jpg   169.36KB   2 downloads

 

 

As you can see there is nothing about 10.8.0.0......

(interfaces veip0.2 and veip0.3 are voice and udp TV services.)

Router is same model as HOUSE 2 (Movistar Spain Fiber FTTH)

 

Is there any way to know what you said about RasPi and router talking some routing protocol like RIP...??

Edited by jpuigs, 10 December 2020 - 19:11.

[WanWizard]

If there were dynamic routes at play, they would show up on the router.

 

Humor me, and do a

ip route -n
traceroute <tunnel-ip-of-your-pc>

from one of the boxes, and post the result here. I hate it that I don't understand why something does or doesn't worrk .
 

[jpuigs]

Now I'm in HOUSE 2.

 

Here local IPs are 192.168.1.X.

Osmio Openvpn is stopped (If I'm here I don't need it working).

Now I connect to Rasp OpenVPN on HOUSE 1.

 

HOUSE 1:

Router is 192.168.0.1

Enigma Boxes are .11, .12, .14, .15 and .16

Rasp (openVPN server) is 192.168.0.254 (and 10.8.0.1)

 

 

Here, in House 2:

Router is 192.168.1.1

Osmio+ box (VPN server OFF) is 192.168.1.16

Laptop PC is 192.168.1.2

 

I connect to VPN on HOUSE 1........

Then, laptop PC gets IP 10.8.0.2

 

 

 

I can "see" Octagon SF8008 on HOUSE 1, IP 192.168.0.14. 

I see OWIF and I connect via SSH....

root@192.168.0.14's password:

root@sf8008:~# ip route -n
ip: invalid argument '-n' to 'ip'

root@sf8008:~# traceroute 10.8.0.2
traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 38 byte packets
1  192.168.0.1 (192.168.0.1)  0.843 ms  0.819 ms  0.759 ms
2  *  *  *
3  *  *  *
..... 4 to 29 are identical too *  *  *
30  *  *  *
root@sf8008:~#

On Win10 Laptop I do a tracert to 192.168.0.14....

C:\Users\Jordi>tracert 192.168.0.14
Traza a la dirección SF8008 [192.168.0.14]
sobre un máximo de 30 saltos:
  1    19 ms    16 ms    16 ms  10.8.0.1
  2    18 ms    18 ms    18 ms  SF8008 [192.168.0.14]
Traza completa.
C:\Users\Jordi> 

Ipconfig on Laptop:

Adaptador desconocido OpenVPN TAP-Windows6:
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : TAP-Windows Adapter V9
   Dirección física. . . . . . . . . . . . . : deleted :)
   DHCP habilitado . . . . . . . . . . . . . : sí
   Configuración automática habilitada . . . : sí
   Dirección IPv4. . . . . . . . . . . . . . : 10.8.0.2(Preferido)
   Máscara de subred . . . . . . . . . . . . : 255.255.255.0
   Concesión obtenida. . . . . . . . . . . . : jueves, 10 de diciembre de 2020 23:14:42
   La concesión expira . . . . . . . . . . . : viernes, 10 de diciembre de 2021 23:14:42
   Puerta de enlace predeterminada . . . . . :
   Servidor DHCP . . . . . . . . . . . . . . : 10.8.0.254
   NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

Adaptador de LAN inalámbrica Wi-Fi :
   Sufijo DNS específico para la conexión. . :
   Descripción . . . . . . . . . . . . . . . : Qualcomm Atheros QCA9377 Wireless Network Adapter
   Dirección física. . . . . . . . . . . . . : deleted :)
   DHCP habilitado . . . . . . . . . . . . . : sí
   Configuración automática habilitada . . . : sí
   Dirección IPv4. . . . . . . . . . . . . . : 192.168.1.2(Preferido)
   Máscara de subred . . . . . . . . . . . . : 255.255.255.0
   Concesión obtenida. . . . . . . . . . . . : jueves, 10 de diciembre de 2020 22:51:35
   La concesión expira . . . . . . . . . . . : viernes, 11 de diciembre de 2020 22:51:35
   Puerta de enlace predeterminada . . . . . : 192.168.1.1
   Servidor DHCP . . . . . . . . . . . . . . : 192.168.1.1
   Servidores DNS. . . . . . . . . . . . . . : 80.58.61.254
                                               80.58.61.250
   NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

If I ping from SF8008 (.0.14) to laptop, 100% loss.........   BUT I CAN connect from Lapop to SF8008 via FTP, SSH, OWIF.......

 

I don't understand why it works too............

Edited by jpuigs, 10 December 2020 - 23:52.

[WanWizard]

iptables masquerading (NAT) active on de Pi?

 

When you connect to a box with, do a

netstat -n | grep :22

to see what the box sees as the source IP of your PC.
 

[jpuigs]

root@192.168.0.16's password:
root@et10000:~# netstat -n | grep :22
tcp        0     64 192.168.0.16:22         192.168.0.254:52752     ESTABLISHED
root@et10000:~#

root@192.168.0.14's password:
root@sf8008:~# netstat -n | grep :22
tcp        0     64 192.168.0.14:22         192.168.0.254:52777     ESTABLISHED
root@sf8008:~#

192.168.0.254 is Rasp.

[WanWizard]

Ok, so the RasPi does NAT. Problem solved.

[jpuigs]

So, the raspi does nat, and enigma box doesn't...... Which of them work properly, or which of them work  as it should ??

 

On the raspi, I haven't done anything more than installing openvpn and configuring it. I haven't done anything about NAT.

 

 

I dont know if it may have something to do....

On Rasp server, I have nothing about : redirect gateway def1

Edited by jpuigs, 11 December 2020 - 16:08.

[WanWizard]

"redirect gateway def1" is a client setting which means no split tunnel is used, all client traffic is redirected into the tunnel.

 

I don't know what you run on the Pi, my Pi's run CentOS, and that doesn't have any firewall rules by default.

 

You can check with "iptables -L" to see what rules are active.

[jpuigs]

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
pi@raspberrypi:~ $

pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
pi@raspberrypi:~

[WanWizard]

Hmm... The plot thickens, as they say...

 

Afaik OpenVPN does not have any built-in NAT capability, so if you really use a tun device in Windows, and not a tap device, I'm out of idea's.

[jpuigs]

pi@raspberrypi:~ $ cd /etc/openvpn/

pi@raspberrypi:/etc/openvpn $ cat server.conf
dev tun
proto udp
port XXXXX
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
......

config file on w10 laptop

client
dev tun
proto udp
remote XXX.XXX.XXX XXXX
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi name
cipher AES-256-GCM
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBtTCCAVqgAwIBAgITZPc/gHTdu
..........

But looking at the win10 client log......... i see a strange thing.....

 

If I set to TUN, why does it open a TAP driver ????

 

open_tun
tap-windows6 device [OpenVPN TAP-Windows6] opened
TAP-Windows Driver Version 9.24

Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]

2020-12-11 18:27:03 OpenVPN 2.5_rc2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
2020-12-11 18:27:03 Windows version 10.0 (Windows 10 or greater) 64bit
2020-12-11 18:27:03 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2020-12-11 18:27:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2020-12-11 18:27:03 Need hold release from management interface, waiting...
2020-12-11 18:27:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
2020-12-11 18:27:04 MANAGEMENT: CMD 'state on'
2020-12-11 18:27:04 MANAGEMENT: CMD 'log all on'
2020-12-11 18:27:04 MANAGEMENT: CMD 'echo all on'
2020-12-11 18:27:04 MANAGEMENT: CMD 'bytecount 5'
2020-12-11 18:27:04 MANAGEMENT: CMD 'hold off'
2020-12-11 18:27:04 MANAGEMENT: CMD 'hold release'
2020-12-11 18:27:04 MANAGEMENT: CMD 'password [...]'
2020-12-11 18:27:04 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-11 18:27:04 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-11 18:27:04 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-12-11 18:27:04 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-12-11 18:27:04 MANAGEMENT: >STATE:1607707624,RESOLVE,,,,,,
2020-12-11 18:27:04 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX YYYYY
2020-12-11 18:27:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2020-12-11 18:27:04 UDP link local: (not bound)
2020-12-11 18:27:04 UDP link remote: [AF_INET]XX.XX.XX.XX:YYYYY
2020-12-11 18:27:04 MANAGEMENT: >STATE:1607707624,WAIT,,,,,,
2020-12-11 18:27:04 MANAGEMENT: >STATE:1607707624,AUTH,,,,,,
2020-12-11 18:27:04 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:YYYYY, sid=646f6869 120fde53
2020-12-11 18:27:04 VERIFY KU OK
2020-12-11 18:27:04 Validating certificate extended key usage
2020-12-11 18:27:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-11 18:27:04 VERIFY EKU OK
2020-12-11 18:27:04 VERIFY X509NAME OK: CN=raspberrypi
2020-12-11 18:27:04 VERIFY OK: depth=0, CN=raspberrypi
2020-12-11 18:27:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2020-12-11 18:27:04 [raspberrypi] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:YYYYY
2020-12-11 18:27:05 MANAGEMENT: >STATE:1607707625,GET_CONFIG,,,,,,
2020-12-11 18:27:05 SENT CONTROL [raspberrypi]: 'PUSH_REQUEST' (status=1)
2020-12-11 18:27:05 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0'
2020-12-11 18:27:05 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-11 18:27:05 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-11 18:27:05 OPTIONS IMPORT: route options modified
2020-12-11 18:27:05 OPTIONS IMPORT: route-related options modified
2020-12-11 18:27:05 OPTIONS IMPORT: peer-id set
2020-12-11 18:27:05 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-11 18:27:05 Using peer cipher 'AES-256-GCM'
2020-12-11 18:27:05 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-11 18:27:05 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-11 18:27:05 interactive service msg_channel=432
2020-12-11 18:27:05 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=16 HWADDR=40:9f:38:16:c1:19
2020-12-11 18:27:05 open_tun
2020-12-11 18:27:05 tap-windows6 device [OpenVPN TAP-Windows6] opened
2020-12-11 18:27:05 TAP-Windows Driver Version 9.24
2020-12-11 18:27:05 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2020-12-11 18:27:05 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {85E0D69A-BD0C-4D4A-B2F4-5D4DAC0B9C1B} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2020-12-11 18:27:05 Successful ARP Flush on interface [11] {85E0D69A-BD0C-4D4A-B2F4-5D4DAC0B9C1B}
2020-12-11 18:27:05 MANAGEMENT: >STATE:1607707625,ASSIGN_IP,,10.8.0.2,,,,
2020-12-11 18:27:05 IPv4 MTU set to 1500 on interface 11 using service
2020-12-11 18:27:10 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2020-12-11 18:27:10 MANAGEMENT: >STATE:1607707630,ADD_ROUTES,,,,,,
2020-12-11 18:27:10 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.1
2020-12-11 18:27:10 Route addition via service succeeded
2020-12-11 18:27:10 Initialization Sequence Completed
2020-12-11 18:27:10 MANAGEMENT: >STATE:1607707630,CONNECTED,SUCCESS,10.8.0.2,XX.XX.XX.XX,YYYYY,,
2020-12-11 18:34:11 C:\WINDOWS\system32\route.exe DELETE 192.168.0.0 MASK 255.255.255.0 10.8.0.1

[WanWizard]

According to the log it does setup a tunnel, gets assigned IP address 10.8.0.2. So client side looks fine, it does not explain why on the server side, the source address is translated to the IP address of the RasPi.

[jpuigs]

I already suposed that the win10 client worked fine, because If I setup openvpn (as a client) on Osmio+ here in HOUSE 2, it gets IP 10.8.0.3 , and it sees all devices on HOME 1 too, like win10 laptop.

 

In Spain we say:

 

"Nunca te acostarás...

sin saber una cosa más."

 

It can't be literally translated to english , because it would be: You'll never go to bed, without knowing one more thing"

But I would translate it as: "You'll learn a new thing every day".