NAT on RUT955 with OPENVPN

veroneo67 · October 24, 2023, 10:24am

I have this problem:
I connected RUT955 client to a server with OPENVPN with VPN IP 172.100.34.6
Now on the server I would like to be able to see router IP 10.100.45.1 (IP of RUT955) on server.
Tried different rules on the NAT but without success

Regards

AndzejJ · October 25, 2023, 6:52am

Hello,

What is the address of the LAN network on RUT955? If it is 10.100.45.0/24, then you need to add a route to this network via RUT955 on your OpenVPN server.

For example, add the following to the server config:

client-config-dir /etc/openvpn/ccd

This tells the server where the client configurations are located. You can use a different directory, but in this case, the client information will be stored here.

Within the directory (In this example /etc/openvpn/ccd), create a file named after the client’s Common Name (CN) from their certificate. For example, if a client’s CN is client1, then you would create a file named client1 inside the ccd directory. In this file, you can specify options for this specific client. To associate a client with a specific network, you can use the iroute option. For instance, if the LAN network on RUT955 is 10.100.45.0/24:

iroute 10.100.45.0 255.255.255.0

This tells the server to associate the network 10.100.45.0/24 with client1. Basically, this means that the server will route traffic destined to this network via client1 (RUT955 in this case).

Kind Regards,

veroneo67 · October 26, 2023, 3:34pm

I tried to do as recommended. But I still can’t reach the LAN network of the RUT955.
Below is the response from the openvpn server (IP 10.200.86.1)
Do I have to do anything else?

Thanks for the reply

Thu Oct 26 17:20:52 2023 151.36.171.175:44057 peer info: IV_TCPNL=1
Thu Oct 26 17:20:52 2023 151.36.171.175:44057 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Oct 26 17:20:52 2023 151.36.171.175:44057 [CRI86] Peer Connection Initiated with [AF_INET]151.36.171.175:44057
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 MULTI_sva: pool returned IPv4=172.200.0.6, IPv6=(Not enabled)
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 OPTIONS IMPORT: reading client specific options from: C:\Program Files\OpenVPN\config\CRI\ccd\CRI86
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 MULTI: Learn: 172.200.0.9 → CRI86/151.36.171.175:44057
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 MULTI: primary virtual IP for CRI86/151.36.171.175:44057: 172.200.0.9
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 MULTI: internal route 10.200.86.0/24 → CRI86/151.36.171.175:44057
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 MULTI: Learn: 10.200.86.0/24 → CRI86/151.36.171.175:44057
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Oct 26 17:20:52 2023 CRI86/151.36.171.175:44057 SENT CONTROL [CRI86]: ‘PUSH_REPLY,route 172.200.0.1,topology net30,ping 1,ping-restart 5,ifconfig 172.200.0.9 172.200.0.8,peer-id 0,cipher AES-256-CBC’ (status=1)

AndzejJ · October 27, 2023, 6:19am

Hello,

Would it be possible for you to share the network topology, including IP addresses, to illustrate how everything is interconnected? Additionally, please provide your OpenVPN server and client configurations. Before sharing this information here, make sure to hide any sensitive data, like public IP addresses and passwords.

Kind Regards,

veroneo67 · October 27, 2023, 12:16pm

Server configuration:

port 1194
proto udp4
dev tun
ca “C:\Program Files\OpenVPN\config\CRI\ca.crt”
cert “C:\Program Files\OpenVPN\config\CRI\CRI.crt”
key “C:\Program Files\OpenVPN\config\CRI\CRI.key”
dh “C:\Program Files\OpenVPN\config\CRI\dh.pem”
server 172.200.0.0 255.255.255.0
#ifconfig-pool-persist ipp.txt
client-config-dir “C:\Program Files\OpenVPN\config\CRI\ccd”
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 4
explicit-exit-notify 1
keepalive 1 5
#firewall
tls-auth ta.key 0

In folder ccd, i write a rule for multi router:

iroute 10.200.86.0 255.255.255.0
ifconfig-push 172.200.0.8 172.200.0.7

with LTE connection from server to client.

Thank’s for reply

Regards

AndzejJ · October 31, 2023, 9:17am

Hello,

Can you try pinging the server from the RUT device when connected to the VPN? And can the server ping back to the RUT’s local network at the address 10.200.86.1?

Could you please clarify if you are really using the 10.100.45.1 IP address in this scenario? Maybe you want to translate this IP via NAT? Or is the issue about getting the client’s local network to talk to the server?

Could you also show us the current routing tables on both the server and the client?

Kind Regards,

system · November 8, 2023, 10:25am

This topic was automatically closed after 15 days. New replies are no longer allowed.