OpenVPN Configuration Help Needed

PTNL

Supreme [H]ardness
Joined
Jan 2, 2005
Messages
4,196
I am having some problems with my OpenVPN configuration, and was looking for some guidance.

What I've done so far​

I am running DD-WRT v3.0-r44715 which I flashed on a router. (As of writing, that is the most recent build of DD-WRT that is available.) I wanted to setup a VPN connection into my home network and took a shot at using OpenVPN, since that is an out-of-box option.

For reference, much of my work followed along with this YouTube video:


I created an account on No-IP to translate a URL into my current assigned IP address. Then I worked through the steps in the video creating a CA cert, a server cert, a few client certs for machines/mobile (and signed with CA cert), the diffie-helman pem. I've loaded the Base64 contents of those files into DD-WRT in the OpenVPN section, and saved the changes. I added the "iptables" line mentioned in the video as well to DD-WRT (which is also in the video description section), and finally bounced the router.

After creating the client .ovpn configuration file, I was able to use the client cert/key + CA cert in OpenVPN's client to establish a VPN connection. Running ipconfig I see an IP address on my local network, and the subnet mask is correct. I am able to browse public webpages, but that is about as far as things go.

Where I am stuck​

I cannot access internal URLs, such as Plex, and cannot access network file shares on my NAS (a 2-bay QNAP box).

I can share additional information on my setup as needed. TIA for any suggestions!
 

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
Okay, I haven't looked at the video yet and I'm not the greatest with OpenVPN but I run it and know a thing or two.

So if I understand correctly: basically you're setup, you can connect and browse public networks but nothing internal?

If so I've got an idea, and lets try this before I ask for your configs.

Sounds like you did everything right but I'm guessing your local network has no route to your VPN network. You'll need to set a route, in the end maybe you can add this route to the DDWRT router to give out and you won't have to do this on everything - but for testing, lets add it by hand.

I'm going to assume some info but you'll need to change it for your situation.

You home network, lets say it's 192.168.1.0/24 (255.255.255.0)
and your gateway is 192.168.1.254/24
also that your VPN is 10.10.1.0/24

on a machine, I'm going with a windows box here, you'll need to run this from an elevated (run as admin) command window:
route add 10.10.1.0 mask 255.255.255.0 192.168.1.254

That will manually add a route to windows, but not permanently, after a reboot it'll be gone, you can type all that and add /p at the end to make it stick - but there is a better way.

After this, try a few ping tests, from a VPN client to the box with the route and vice versa. If that works we can proceed to step 2! Added this route to DDWRT.
 

PTNL

Supreme [H]ardness
Joined
Jan 2, 2005
Messages
4,196
After this, try a few ping tests, from a VPN client to the box with the route and vice versa. If that works we can proceed to step 2!

Thanks for the suggestion! I'll test that out soon and post my results.
 

PTNL

Supreme [H]ardness
Joined
Jan 2, 2005
Messages
4,196
So I finished some initial tests, and here's what I changed:

1. Changed the OpenVPN IP range
-- It was originally on the router's DHCP range (192.168.1.0 mask 255.255.255.0). It is now set to 10.10.1.0/24 mask 255.255.255.0.

2. Applied settings in router, and bounced router.

3. Updated a few outdated drivers on the client laptop from Dell's Command Update utility.
-- This may (not) have had an impact, but mentioning it anyways for completeness.

After that, I tethered the client laptop to my cell phone and was able to connect using OpenVPN -- just like before. However, some improvements were observed...

1. Windows SMB shares on the NAS are now accessible. It is slow over the cell network, but it is functional.
2. External websites are visible -- just like before.
3. Router's admin page (by IP address) is not accessible.
4. Local Plex IP address is accessible, and some elements of the site begin to load. But some timeout is reached when it tries pulling resources from "plex.tv".
5. Running tracert from a CMD prompt to "plex.tv" gives endless "Request timed out" in the listed hops.
6. RDC to a Windows box worked successfully.

Note that at this point, I had not tried your route command. After running your suggestion from an elevated CMD prompt, I ran through the above tests but the observations noted above stayed the same.
 

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
Yeah, looks like the router is giving the router knows where to send traffic, I had no idea your vpn network was in the same range is the local!
I'm pretty sure you're going to be using routed mode with open VPN and not bridged. You won't have to add the routes.

The local admin page of the router not reachable, this might be by design or try the gateway for that the vpn client has, again it might be off limits by design but if you can get in and to a local client, you can make changes that way.

I'm not sure why plex.tv would not resolve correctly. Is your plex setup for remote access, you may want to go to it by IP address isntead of going to plex.tv. so http://serverip:32400
I'm not sure how plex.tv logic works and it could be getting confused by the network differences and it's trying to send you to the remote access of your local plex and there could be an issue with sending forwarded connections via the vpn.
Basically, all the traffic of a device in your VPN is sent through your home connection, If you went to one of those what's my IP places, you won't get the one your phone has, you'll get the one from your house. Which all of this is fine. The problem might be trying to connect to either things on the router it's self, including por forwarded services via the vpn, just like you can access the admin page.

Also check to see if there is a firewall rule or setting on a page that you can block or allow access to the router from certain network, also one that allow remote access. If you can add networks, add your VPN network to it. If not, I'd use the local Plex address and not worry about it.
 

PTNL

Supreme [H]ardness
Joined
Jan 2, 2005
Messages
4,196
I'm not sure why plex.tv would not resolve correctly. Is your plex setup for remote access, you may want to go to it by IP address isntead of going to plex.tv. so http://serverip:32400
I did goto the internal/private IP address for my Plex installation (i.e. IP:32400). However, the "plex.tv" work was likely possibly due to my Plex Pass membership and Plex timing out on those calls. I had forgotten about Plex's (paid?) feature for remote access, that is worth looking into in the Plex admin area.

I'm not sure how plex.tv logic works and it could be getting confused by the network differences and it's trying to send you to the remote access of your local plex and there could be an issue with sending forwarded connections via the vpn.
I didn't put much time into it at first. I can certainly run Fiddler to see how the traffic is translating for my browser -- I just was short on time last night, and wanted to get a few other areas looked at.


Thanks again for the responses, bigstusexy. I'll dig more into the few straggling areas, but I truly appreciate your help in getting me this far!
 

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
No worries, good luck!

Plext.tv should work without the paid stuff, I'm using it and I don't have a pass.
 
Top