Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsLAN (ethernet/Wifi/routers/Bluetooth)Routing traffic from VPN to LAN


BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

Topic # 220190 30-Jul-2017 13:40
Send private message

I run a L2TP VPN on my router - mainly for use while away at hotels and conferences, so mainly to access the Internet. Seeing it's a gigabit connection the additional latency is minimal when using from AU/NZ.

 

But now and then I do want to access my home server over this VPN connection. The problem is the LAN is configured for 192.168.2.x addresses and the VPN is on 10.0.0.0/24. This means my laptop connected to the VPN can't map a drive or RDP into the home server.

 

The router is Linux-based, so is there any routing command I can add that would make routing from the VPN to LAN as transparent (and available at the same time) as routing from VPN to Internet?

 

 




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
2079 posts

Uber Geek
+1 received by user: 498


  Reply # 1833715 30-Jul-2017 13:49
Send private message

What is your router?  

 

Also if you're looking for a good idea project, changing your local subnet to something a bit more unique (like 192.168.138.X and 10.24.13.X) will probably help you more reliably use it, as 192.168.2.X and your VPN subnet of 10.0.0.X is common and you're bound to encounter it (due to the network youre using currently also using that subnet)



BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1833717 30-Jul-2017 13:52
Send private message

Synology Router 2600.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 

2079 posts

Uber Geek
+1 received by user: 498


  Reply # 1833723 30-Jul-2017 14:11
Send private message

I feel like I'm not 100% answering your question here, but I would investigate running a SSL VPN Server on your Synology router.

 

A) 99% of hotels will support it due to running on port 443

 

B) It supports the functionality in question

 

C) You won't be able to use the built in Windows 10 VPN client (unfortunately)

 

 

 

https://www.synology.com/en-global/knowledgebase/SRM/help/VPNPlusServer/vpnplus_server_sslvpn

3940 posts

Uber Geek
+1 received by user: 493

Trusted

  Reply # 1833735 30-Jul-2017 14:37
Send private message

Is there any reason to put your Vpn network on a different network like that? In my previous istance, I set vpn clients, generally only ever 1, me would get a 192.168.1.231 address. Vpn clients would only ever get an address above 230, and my regular dhcp would do up to 229.

Now in a USG I run a different network, but it handles the vpn and routing for me.




Previously known as psycik

NextPVR/OpenHAB: Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, NextPVR,OpenHAB with Aeotech ZWave Controller
Media:Chromecast v2, ATV4, Roku3, Raspberry PI temperature Sensors and Bluetooth LE Sensors,HDHomeRun Dual
Windows 2012 Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex



BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1833736 30-Jul-2017 14:38
Send private message

I might test the SSL VPN but really like having the device-independent VPN.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 



BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1833737 30-Jul-2017 14:39
Send private message

@davidcole just the default install. I can change the configuration of course but that needs rearranging my network due to static IP handed to some devices I have.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 

3477 posts

Uber Geek
+1 received by user: 1251

Subscriber

  Reply # 1833741 30-Jul-2017 14:52
Send private message

I'm surprised it doesn't update the routing table for you as VPN clients connect.

 

And is VPN client set to "route all traffic through this connection"..

 

VPN Adapter > Properties > Networking > IPv4 > Advanced > "Use default gateway on remote network"

 

If your PC uses your local router as the gateway when connected via VPN it should know how to route to the local LAN (because the router must know the local and remote IP used on the VPN interface). The only other thing I guess is are there strict firewall rules on the forward chain blocking traffic that isn't coming from 192.168.2.0 in to the LAN?

 

Edit: the "route" command should show you what your router has in it's routing table - same as windows "route print"

149 posts

Master Geek
+1 received by user: 26

Lifetime subscriber

  Reply # 1833808 30-Jul-2017 16:42
Send private message

Would a simple 

 

push "route 192.168.2.0 255.255.255.0"

 

in the vpn server config do the job?

 

Edit for clarity

2361 posts

Uber Geek
+1 received by user: 782

Trusted
Lifetime subscriber

  Reply # 1833880 30-Jul-2017 19:45
Send private message

I did exactly this while I was on holiday. I run a Tplink 703N which is a really nice micro router. I have an OpenVPN server running on a router at home and also a VPS in the US.
The router runs OpenWRT and I bring up the tunnel to where I want to go.
It runs as a wireless bridge so has my own SSID That tunnels via the VPN home.
I found using my US VPS faster while in the US for obvious latency reasons.





352 posts

Ultimate Geek
+1 received by user: 72


  Reply # 1833969 31-Jul-2017 01:46
Send private message

freitasm:

 

I run a L2TP VPN on my router - mainly for use while away at hotels and conferences, so mainly to access the Internet. Seeing it's a gigabit connection the additional latency is minimal when using from AU/NZ.

 

But now and then I do want to access my home server over this VPN connection. The problem is the LAN is configured for 192.168.2.x addresses and the VPN is on 10.0.0.0/24. This means my laptop connected to the VPN can't map a drive or RDP into the home server.

 

The router is Linux-based, so is there any routing command I can add that would make routing from the VPN to LAN as transparent (and available at the same time) as routing from VPN to Internet?

 

 

 

 

Mapping drives (SMB protocol) requires that you can see the broadcast messages, which are only available on the same subnet.  I do not know of any way to get a router to pass through broadcast messages between different subnets.  The usual way to get this to work with a VPN is to make sure that the VPN is bridged onto the home network on the subnet you need access to, and that the VPN assigns IP addresss that are on that same subnet.  That is how I have my OpenVPN set up and it allows me full access to my home network including all the protocols such as SMB that use broadcast messages.  The down side of doing this is that all the broadcast message traffic goes over the VPN connection, and if you are paying for the data on that connection (eg cell phone), then you will see a fair bit more traffic that you have to pay for.

 

I do not use RDP, but a quick look at how it works says it just uses TCP port 3389 and UDP port 3389, so getting your router to allow traffic to those ports between the VPN and home subnets should be all that is required.  I would have thought that RDP would have just worked with a VPN connection, but maybe your firewall is blocking those two ports.

622 posts

Ultimate Geek
+1 received by user: 121


  Reply # 1833971 31-Jul-2017 05:12
Send private message

fe31nz

 

...summed it up.

 

 

 

You can still map a network drive if you opened explorer (I'm old school running XP and 2K machines so I don't know what the terminology is in 8/10) and put the mapping in manually in the address bar ie: \\192.168.X.X\D  if there is a "D" SMB share at that IP address.

 

If you want to see the shares pop up when you go looking for them in whatever is the equivalent of My Network Places/Network Neighbourhood, then you need to see broadcast traffic. This means being on the same subnet as already mentioned.

 

Your IP broadcast addresses (not layer2 broadcast) for 192.168.2.0/24 are 192.168.2.0 and 192.168.2.255. For the 10.0.0.0/24 it's 10.0.0.0 and 10.0.0.255. Both are not routable.

 

If you wanted to use a bridge, again, they still need to be on the same subnet for the machines to receive the same broadcast packets. If two machines are on a different subnet but on the same layer2 segment (bridged or on same switch etc...), they will still ignore IP broadcasts from the other subnet address range.

 

You'd need your VPN client on the same subnet and the VPN server normally uses proxy ARP  for the VPN router to pass on the MAC addresses of the VPN clients as well etc... to make it all as transparent as possible.

 

The moment you route or change the network address range, you loose broadcast messages, but can still access shares if setup as mentioned above by IP address, you just won't see them automatically searching for them.

 

 



BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1834334 31-Jul-2017 14:06
Send private message

Ok, so I have changed the VPN configuration to use the same IP range as the LAN, and it's working as before - it connects, can access the Internet but can't see LAN devices - no ping, no RDP, etc.

 

I suspect the L2TP protocol implementation is blocking this, because the OpenVPN tab has an option to allow VPN devices to see the LAN devices, which is not in the L2TP tab. Only using L2TP because no client is required on both Android and Windows, but might have to look at the OpenVPN implementation...

 

For those who mentioned the subnet... Yes, I understand how it won't see each other but thought there would be a way to define a route to get packets from one to another. Since nothing in that front I just change the IP range.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 

3940 posts

Uber Geek
+1 received by user: 493

Trusted

  Reply # 1834361 31-Jul-2017 14:55
Send private message

@freitasm:

 

Ok, so I have changed the VPN configuration to use the same IP range as the LAN, and it's working as before - it connects, can access the Internet but can't see LAN devices - no ping, no RDP, etc.

 

I suspect the L2TP protocol implementation is blocking this, because the OpenVPN tab has an option to allow VPN devices to see the LAN devices, which is not in the L2TP tab. Only using L2TP because no client is required on both Android and Windows, but might have to look at the OpenVPN implementation...

 

For those who mentioned the subnet... Yes, I understand how it won't see each other but thought there would be a way to define a route to get packets from one to another. Since nothing in that front I just change the IP range.

 

 

 

 

So is there any firewall as part of of the vpn server?  if everything is on the same subnet now, surely there's something like a firewall doing a block?  




Previously known as psycik

NextPVR/OpenHAB: Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, NextPVR,OpenHAB with Aeotech ZWave Controller
Media:Chromecast v2, ATV4, Roku3, Raspberry PI temperature Sensors and Bluetooth LE Sensors,HDHomeRun Dual
Windows 2012 Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex



BDFL - Memuneh
60810 posts

Uber Geek
+1 received by user: 11690

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1834363 31-Jul-2017 14:56
Send private message

There's the router firewall but this is WAN - LAN or WAN - ROUTER. I still have to play with the rules later today.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management

 

 

494 posts

Ultimate Geek
+1 received by user: 114

Subscriber

  Reply # 1834369 31-Jul-2017 15:01
Send private message

@freitasm:

 

Ok, so I have changed the VPN configuration to use the same IP range as the LAN, and it's working as before - it connects, can access the Internet but can't see LAN devices - no ping, no RDP, etc.

 

I suspect the L2TP protocol implementation is blocking this, because the OpenVPN tab has an option to allow VPN devices to see the LAN devices, which is not in the L2TP tab. Only using L2TP because no client is required on both Android and Windows, but might have to look at the OpenVPN implementation...

 

For those who mentioned the subnet... Yes, I understand how it won't see each other but thought there would be a way to define a route to get packets from one to another. Since nothing in that front I just change the IP range.

 

 

Hopefully you have better luck with it than me. Synology's OpenVPN has been one of the buggiest implementations I have used. Would work once or twice then just die, the OpenVPN tab showed as working however it would never authenticate. So worth keeping the L2TP one running as a backup just in case so you can get in and reboot.




Geoff E

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Hawaiki Transpacific cable ready-for-service
Posted 20-Jul-2018 11:29

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40

Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36

Microsoft ices heated developers
Posted 6-Jul-2018 20:16

PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45

Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40

Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08

Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03

Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27

Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13

Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00

Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12

Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52

Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.