Accessing server side LAN devices over OpenVPN

I have been trying to setup OpenVPN for the longest time now. I've tried it on my spare Macbook Air but the server isn't easy to setup (if it's even possible). So I decided to go the easier route and get it running on the Pi3.

I tried setting it up from scratch but it's better to just use the pivpn utility. Got it setup and working within no time.

After setting up the keys and the DH key which is pretty straight forward, the ovpn configs were generated for clients. I used the same one for my android and used OpenVPN connect to get it to work.

Now the first issue was that all my traffic was being redirected through the tunnel, so to stop that from happening, I had to remove redirect-gateway def1 from the config. Apparently it was being pushed from the server.

However once I did that, I was left with access to just he VLAN address of the OpenVPN server which didn't help.

So let me first share how the network is setup.

  • Home LAN is on the subnet 192.168.1.0/24 (I know, it shouldn't be that generic, I'll change it someday)
  • OpenVPN server assigns address from the pool 10.8.0.0/24 taking 10.8.0.1/32 for itself.
  • WAN IP of the gateway that is connected to the server is 72.220.171.XXX
  • My client LAN has the pool 10.0.1.0/24 with 10.0.1.77/32
  • And my client WAN IP is 77.184.88.XXX

Let's look at the server config

dev tun  
proto udp  
port 1194

ca /etc/openvpn/easy-rsa/pki/ca.crt  
cert /etc/openvpn/easy-rsa/pki/issued/server.crt  
key /etc/openvpn/easy-rsa/pki/private/server.key  
dh /etc/openvpn/easy-rsa/pki/dh2048.pem  
topology subnet

server 10.8.0.0 255.255.255.0

# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2

# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"

# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"

# your local subnet
#push "route 0.0.0.0 "
push "route 192.168.1.0 255.255.255.0"

# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"  
push "dhcp-option DNS 8.8.4.4"

# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
#push "redirect-gateway def1"

client-to-client  
duplicate-cn  
keepalive 10 120  
tls-version-min 1.2  
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0

cipher AES-256-CBC  
auth SHA256

comp-lzo  
user nobody  
group nogroup

persist-key  
persist-tun  
crl-verify /etc/openvpn/crl.pem  
status /var/log/openvpn-status.log 20

status-version 3  
log /var/log/openvpn.log

verb 1  
# Generated for use by PiVPN.io

So commenting out redirect-gateway def1 stopped all the traffic through the VPN and adding pushing the route manually from the server to the client enabled the access to server side LAN
push "route 192.168.1.0 255.255.255.0

Just took an entire week to figure that out. Here's the relevant documentation.