How to configure access to your local network using OpenVPN with tun?

Good day.
I have a week. This question was discussed several times, but for some reason none of this works.

There is a network local to the interface enp2s0 192.168.127.0
OpenVPN is configured and it clients connect. The VPN network 10.8.0.0
But the client can only pinganut 192.168.127.89 - internal IP of the ovpn server, then the network pings do not go.

OpenVPN Config:
cat /etc/openvpn/server.conf
;local a.b.c.d
port 11194
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;server-bridge 10.8.0.0 255.255.255.0
;push "redirect-gateway def1 bypass-dhcp"
;push "route 10.8.0.0 255.255.255.0"
push "route 192.168.127.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
explicit-exit-notify 0


Config client:
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote xxx.xxx.xxx.xxx 11194
;remote-random
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings

remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 3
;mute 20


Routes client when connected to VPN
Code: [Select]

ip ro li
default via 192.168.0.1 dev enp2s13 proto static metric 100 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 
169.254.0.0/16 dev enp2s13 scope link metric 1000 
xxx.xxx.xxx.xxx via 192.168.0.1 dev enp2s13 
192.168.0.0/24 dev enp2s13 proto kernel scope link src 192.168.0.71 metric 100 
192.168.127.0/24 via 10.8.0.1 dev tun0


Routes servers when connected to VPN
ip ro li
212.48.195.118 default via dev ppp0 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.2 
192.168.127.0/24 dev enp2s0 proto kernel scope link src 192.168.127.89 
212.48.195.118 dev ppp0 proto kernel scope link src xxx.xxx.xxx.xxx


Firewall rules
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*filter
:INPUT DROP [236:11906]
:FORWARD ACCEPT [1041:69425]
:OUTPUT ACCEPT [253288:161677613]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 10022 -j f2b-sshd
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW-m tcp --dport 10022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW-m tcp --dport 11194 -j ACCEPT
-A INPUT-p tcp -m tcp --dport 10022 -j ACCEPT
-A INPUT-i lo -j ACCEPT
-A INPUT-i enp2s0 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT-i enp2s0 -p tcp -m tcp --dport 3128-j ACCEPT
-A INPUT-i enp2s0 -j ACCEPT
-A INPUT-i tun0 -j ACCEPT
-A FORWARD -s 10.8.0.0/24-d 192.168.127.0/24 -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
COMMIT
# Completed on Mon Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*nat
:PREROUTING POLICY ACCEPT [2570:185461]
:INPUT ACCEPT [9217:504581]
:OUTPUT ACCEPT [3900:256485]
:POSTROUTING ACCEPT [3976:260537]
-A PREROUTING policy -s 192.168.127.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING policy -s 192.168.127.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING policy -i ppp0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.127.160
-A PREROUTING policy -i ppp0 -p tcp -m tcp --dport 3388 -j DNAT --to-destination 192.168.127.81:3389
-A PREROUTING policy -i ppp0 -p tcp -m tcp --dport 1723-j DNAT --to-destination 192.168.127.160
-A PREROUTING policy -i ppp0 -p gre -j DNAT --to-destination 192.168.127.160
-A PREROUTING policy -i ppp0 -p tcp -m tcp --dport 5650 -j DNAT --to-destination 192.168.127.160
-A PREROUTING policy -i ppp0 -p tcp -m tcp --dport 15650 -j DNAT --to-destination 192.168.127.160
-A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.127.0/24 -o enp1s1 -j MASQUERADE
COMMIT
# Completed on Mon Mar 26 16:48:58 2019
# Generated by iptables-save v1.6.0 on Tue Mar 26 16:48:58 2019
*mangle
:PREROUTING POLICY ACCEPT [1688943:1124405045]
:INPUT ACCEPT [1014945:747408567]
:FORWARD ACCEPT [673998:376996478]
:OUTPUT ACCEPT [1106484:693624812]
:POSTROUTING ACCEPT [1780482:1070621294]
-A PREROUTING policy -s 192.168.127.0/24-j HMARK --hmark-src-prefix 32 --hmark-rnd 0xfeedcafe --hmark-mod 10 --hmark-offset 10000
COMMIT
# Completed on Mon Mar 26 16:48:58 2019


enp2s0 interface looks in LAN
ppp0 to Internet
enp1s1 in the Internet second channel
xxx.xxx.xxx.xxx external IP address for interface ppp0

probably tried all of the suggestions in the Internet. The idea should work, but no.
If you raskomentiruyte ;push "redirect-gateway def1 bypass-dhcp" that sets in inetrent through a VPN, but to the local network to get close. You know that somewhere something routing not a cake, but where?
Thank you.
March 19th 20 at 08:49
1 answer
March 19th 20 at 08:51
Solution
To computers from the internal network behind the VPN server could send responses to the requests from the VPN clients VPN server must be either a default gateway on them, or need to manually register the route to the VPN network on each computer on your internal network.
Except the firewall really the VPN server to block traffic unable the firewalls on the computers within the network and on the VPN client. The easiest way to disable farway everywhere, check feedback if it's working, then turn on firewalls and set in their allow rules.
NAT to exchange from VPN clients usually do not need!
The VPN server must be either a default gateway on them

So. The VPN server it is a gateway in this network. I.e. the internal IP of VPN server 192.168.127.89 is the gateway for machines on the inside network over VPN )
On the specific computer to which you want to access the firewall off, but ping not serviced. - Adrienne.Stark29 commented on March 19th 20 at 08:54
Let me make another point. Computers over the VPN as well pigout 10.8.0.1, but not pigout customer VPN network. - Adrienne.Stark29 commented on March 19th 20 at 08:57
@Adrienne.Stark29, Then the routing is all fine. The route on the VPN client is the same spelled out.
Look in the direction of the firewall. Disable NAT for VPN. - Providenci commented on March 19th 20 at 09:00
@Providenci, would have to know how to specifically disable NAT for VPN - Adrienne.Stark29 commented on March 19th 20 at 09:03
@Adrienne.Stark29, I'm not versed in Linux iptables, but like the rule with MASQUERADE this is it. - Providenci commented on March 19th 20 at 09:06
@Providenci, to remove these rules I've tried. The effect is zero. - Adrienne.Stark29 commented on March 19th 20 at 09:09
@Adrienne.Stark29, NAT for VPN move - it was not needed.
If no effect, then plugging in the allowing rules of the firewall.
I saw in your rules, the rule for incoming packets from the VPN interface and outgoing to where?
Why the rule FORWARD? You all should forwarders by standard means using the routing table.
Server in the chain, there are other firewalls.

Think my firewall as probing. - Providenci commented on March 19th 20 at 09:12
@Providenci, In General, the rules of forwarding of course not and I removed them. NAt is off, firewall between the client and the server. Pings not ( - Adrienne.Stark29 commented on March 19th 20 at 09:15
@Adrienne.Stark29, View tcpdumpом, in what area specifically do not pass packets. - Providenci commented on March 19th 20 at 09:18
@Providenci, according to tcpdump echo packets go
PPPoE [ses 0x77c] IP 192.168.127.160 > 10.8.0.4: ICMP echo reply, id 27832, seq 19, length 64
- Adrienne.Stark29 commented on March 19th 20 at 09:21
Although the ping on 192.168.127.89 in which there is an answer, tcpdump shows nothing - Adrienne.Stark29 commented on March 19th 20 at 09:24
The package should be twice the output of tcpdump - once at the entrance, the second at the output. - Providenci commented on March 19th 20 at 09:27
The question is, could it be due to routing rules. On this server, two Internet of the channel. And routing scattered on the two tables by package marking.
ip ru li
0: from all lookup local 
32755: from 192.168.127.0/24 fwmark 0x2719 lookup Provider1 
32756: from 192.168.127.0/24 fwmark 0x2717 lookup Provider1 
32757: from 192.168.127.0/24 fwmark 0x2715 lookup Provider1 
32758: from 192.168.127.0/24 fwmark 0x2713 lookup Provider1 
32759: from 192.168.127.0/24 fwmark 0x2711 lookup Provider1 
32760: from 192.168.127.0/24 fwmark 0x2718 lookup Provider1 
32761: from 192.168.127.0/24 fwmark 0x2716 lookup Provider1 
32762: from 192.168.127.0/24 fwmark 0x2714 lookup Provider1 
32763: from 192.168.127.0/24 fwmark 0x2712 lookup Provider1 
32764: from 192.168.127.0/24 fwmark 0x2710 lookup Provider1 
32765: from xxx.xxx.xxx.xxx lookup Provider1 
32766: from all lookup main 
32767: from all lookup default


In the fall of one of the channels, routes reconstructed on the table of the working channel. When simultaneous operation of both channels, all packets are equally distributed between providers. - Adrienne.Stark29 commented on March 19th 20 at 09:30
# ip ro li table Provider1
212.48.195.118 default via dev ppp0 
127.0.0.0/8 dev lo scope link


It seems to me that the default routes from the network 192.168.127.0 pass through this table. - Adrienne.Stark29 commented on March 19th 20 at 09:33
The question is, could it be due to routing rules. On this server, two Internet of the channel. And routing scattered on the two tables by package marking.

Yes, maybe.
Add both a route table record of the route in the VPN network. - Providenci commented on March 19th 20 at 09:36
@Providenci, Baaa.. Yes this was the case ))
added to the table Provider1 rule and went running ) Thanks for the discussion ))
ip ro ad 10.8.0.0/24 via 10.8.0.1 table Provider1 - Adrienne.Stark29 commented on March 19th 20 at 09:39
@Adrienne.Stark29, Super! - Providenci commented on March 19th 20 at 09:42
@Providenci, and masquarding not needed, You were right. Although in all the articles in the Internet write that you need to mask the packages. Thank you. - Adrienne.Stark29 commented on March 19th 20 at 09:45
@Adrienne.Stark29, Yes, I know about NAT. I don't know why it shoved in all places. You are not the first get with NATом.
Often config NATом works if you don't need to go beyond the VPN server. But in this case NAT - extra. - Providenci commented on March 19th 20 at 09:48

Find more questions by tags Network administrationDebianOpenVPNLinux