Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
On Wed, 17 Jan 2024 22:05:49 +, André via Openvpn-users wrote: >On Wednesday, January 17th, 2024 at 22:47, André > wrote: > > Hi, > > If I understand correctly the video library is on the Pi? No, the RPi connects by OpenVPN to my home LAN using the OVPN server, which is an Ubuntu server. *This* Ubuntu server also hosts one Video library, but there is additionally a set of home videos on my NAS which is available to the connected RPi since it is now on the LAN via VPN. All of this type of connectivity is working and configured correctly. > If so, configure it for connecting to your server. > Make sure IP forwarding is enabled on the VPN server. That is a necessary condition for the server operations so it is ON. > Add a route on the server side gateway (probably router) pointing > towards the LAN IP of the machine running the VPN server with the > tunnel subnet as source. This looks like what I did when I connected my summer home and my main home LAN:s together using OpenVPN. The routers have this type of specific routing for both directions. The routing target of the home router is the VPN server in this case. > You can then connect to the Pi using it's tunnel IP from any device on the > LAN. > Make sure the firewall on the VPN server allows the traffic. > > Hope I phrased that right...:) > . What I am after is a way to maintain the remote RPi device from here via the command line). Two alternatives: 1) From my Windows PC using the RPi tunnel address (which I know since it is fixed in the server conf) or 2) If that does not work, from the VPN server's command line, which I connect to using PuTTY. So this would mean a two-step SSH connection: - First to the VPN server using its LAN address - Then from there to the RPi using its tunnel address So doing the routing on the main LAN Asus Router will probably be needed here in order to get access from my Windows PC. Do I need something also on the VPN server's routing in order to make it send packets destined for the remote RPi via the tunnel? I guess I have to revisit my notes from setting up the 2-way connection of my home and cottage LAN:s... Luckily I have a guest WiFi network *not* served by my main router so I can test it all here (once the RPi has been configured) by connecting it to that LAN. -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
On Wed, 17 Jan 2024 22:30:05 +0100, Gert Doering wrote: >Hi, > >On Wed, Jan 17, 2024 at 09:57:41PM +0100, Bo Berglund wrote: >> Is there some way when that RPi has connected to my OpenVPN server to reach >> it >> "backwards" via the connected tunnel? I mean to establish a command line SSH >> interface through the tunnel or similar. > >Unless firewall rules (or routing) on either end get in the way, you have >a transparent IP connection through the tunnel - so SSH to the rPI should >be just fine, no extra config needed on the OpenVPN side. > >(Easiest is to SSH to the "tun0" IP address, as you do not have to >concern yourself with routing the rPI LAN address through the tunnel) > I have earlier done something similar, but not really the same... At that time we had an RPi device that was put in the field with a mobile network modem for connection. I had made a service on an OpenVpn server that had client-to-client activated and no routing past the tunnel at all. So the remote device connected and was going nowhere, but then I could hook up with it by connecting my Windows PC to the same "dead-end" tunnel and knowing the remote device's tunnel address I could access it via the tunnel. But that was a really special use of OpenVPN and in this case the remote device has to use the VPN "normally" and connect to join the server side network. It will access resouces on the server's LAN including the Internet gateway. So since it is doing that I figured that it could be possible to access it from the server network via its tunnel address. But do I then have to manipulate the OVPN server's routing table and the main router's table as well? That is if I want to access the remote device from a different device on the server's LAN? Like my Windows PC using PuTTY... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
Hello,
On Wed, Jan 17, 2024 at 09:57:41PM +0100, Bo Berglund wrote:
> Is there some way when that RPi has connected to my OpenVPN server to reach it
> "backwards" via the connected tunnel? I mean to establish a command line SSH
> interface through the tunnel or similar.
Well, it has a (presumably private) address on the OpenVPN interface that you
can control from the VPN server configuration.
For example here, this is an OpenVPN client with no public address (on a CGNAT
via a 4G wireless link):
The 4G interface with a private IP (wwan0)
inet 10.56.90.106/30 brd 10.56.90.107 scope global dynamic wwan1
(obviously, you can't do much with it, as it's CGNAT controlled
by the 4G network operator)
The OpenVPN interface with a private IP (tap0, also works with tun0)
inet 192.168.251.4/24 scope global tap0
So, from the OpenVPN server, assuming your pi has no firewall:
schaefer@shakotay:~$ telnet 192.168.251.4 22
Trying 192.168.251.4...
Connected to 192.168.251.4.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Yes, SSH on your pi can be reached, or whatever service you want to
be reachable.
> But the lack of public IP makes it impossible to run a server on the client
> side
> to access the RPi and I guess if done it would create a closed loop kind of
> connection...
Just make your SSH server on the pi listen on 0.0.0.0 (which is the default), it
will happily answer on all of the IP addresses, private or public, that it has.
> Advice on how to configure the client and server for this is gratefully
> appreciated.
In my case, there IS a firewall, and the OpenVPN client startup script
configures
it correctly so that the SSH server is accessible from the VPN.
If I remember well, in addition, I had to derive the (private) IP address from
the certificate client name (CN) and push it to the client through the server
connect script, something like:
case $common_name in
client[0-9][0-9]) the_ip=${common_name/client}
case $the_ip in
0*) the_ip=${the_ip/0};;
esac
cat > $1
Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
Sorry, forgot cc to users list . . . On Wednesday, January 17th, 2024 at 22:47, André wrote: > Hi, > > If I understand correctly the video library is on the Pi? > If so, configure it for connecting to your server. > Make sure IP forwarding is enabled on the VPN server. > Add a route on the server side gateway (probably router) pointing towards the > LAN IP of the machine running the VPN server with the tunnel subnet as source. > You can then connect to the Pi using it's tunnel IP from any device on the > LAN. > Make sure the firewall on the VPN server allows the traffic. > > Hope I phrased that right...:) > . > . > . > On Wednesday, January 17th, 2024 at 21:57, Bo Berglund bo.bergl...@gmail.com > wrote: > > > I have a Raspberry Pi device which will be deployed to a location with a > > network > > which does not have a public IP address. > > > > The RPi will be confiugured with openvpn to auto-connect to my VPN server > > when > > it starts. > > > > The client-to-server connection is used to make available a video library > > to the > > remote site. > > > > Is there some way when that RPi has connected to my OpenVPN server to reach > > it > > "backwards" via the connected tunnel? I mean to establish a command line SSH > > interface through the tunnel or similar. > > Either from the server itself from its command line or via the server from > > other > > devices on the server side network. > > > > This connection if possible would be used to manage the RPi device itself > > since > > there is noone that can do that locally. > > > > But the lack of public IP makes it impossible to run a server on the client > > side > > to access the RPi and I guess if done it would create a closed loop kind of > > connection... > > > > Advice on how to configure the client and server for this is gratefully > > appreciated. > > > > TIA > > > > -- > > Bo Berglund > > Developer in Sweden > > > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
Hi, On Wed, Jan 17, 2024 at 09:57:41PM +0100, Bo Berglund wrote: > Is there some way when that RPi has connected to my OpenVPN server to reach it > "backwards" via the connected tunnel? I mean to establish a command line SSH > interface through the tunnel or similar. Unless firewall rules (or routing) on either end get in the way, you have a transparent IP connection through the tunnel - so SSH to the rPI should be just fine, no extra config needed on the OpenVPN side. (Easiest is to SSH to the "tun0" IP address, as you do not have to concern yourself with routing the rPI LAN address through the tunnel) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Reaching connected client machine from the server through the tunnel?
I have a Raspberry Pi device which will be deployed to a location with a network which does not have a public IP address. The RPi will be confiugured with openvpn to auto-connect to my VPN server when it starts. The client-to-server connection is used to make available a video library to the remote site. Is there some way when that RPi has connected to my OpenVPN server to reach it "backwards" via the connected tunnel? I mean to establish a command line SSH interface through the tunnel or similar. Either from the server itself from its command line or via the server from other devices on the server side network. This connection if possible would be used to manage the RPi device itself since there is noone that can do that locally. But the lack of public IP makes it impossible to run a server on the client side to access the RPi and I guess if done it would create a closed loop kind of connection... Advice on how to configure the client and server for this is gratefully appreciated. TIA -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
