Remote Access with OpenVPN across 2 Vlans

MrRouter · Apr 12, 2020

Hi guys,

I'm having a hard time understanding this concept and wanted to see if anyone would be able to point me in the correct direction.

I am in the process of setting up my network as follows:

Internet -> Modem -> Asus AC68U-> L3 Switch -> Vlan 1(Personal Computers) / Vlan 2 (Blue Iris PC + IP Cams)

I am running an OpenVPN server on the Asus Router which to my understanding does not nativity support VLAN routing (which is part of the reason I am looking into getting a L3 fully managed Switch). I am able to access my LAN from WAN via OpenVPN currently without issue.

After I introduce the L3 switch and segment off Vlan 1 (192.168.1.X/24) and VLAN 2 (192.168.2.1/24) how is it that I will be routed to the appropriate VLAN when connecting to my LAN over OpenVPN? For example, Say I VPN into my LAN and attempt to access my blue iris PC (192.168.2.10), Do i need to configure OpenVPN into assigning an address within VLAN 2 ? Or is this where ACLs come into play?

Any clarification on this would be appreciated.

scooter_trash · Apr 13, 2020

MrRouter said:
Hi guys,

I'm having a hard time understanding this concept and wanted to see if anyone would be able to point me in the correct direction.

I am in the process of setting up my network as follows:

Internet -> Modem -> Asus AC68U-> L3 Switch -> Vlan 1(Personal Computers) / Vlan 2 (Blue Iris PC + IP Cams)

I am running an OpenVPN server on the Asus Router which to my understanding does not nativity support VLAN routing (which is part of the reason I am looking into getting a L3 fully managed Switch). I am able to access my LAN from WAN via OpenVPN currently without issue.

After I introduce the L3 switch and segment off Vlan 1 (192.168.1.X/24) and VLAN 2 (192.168.2.1/24) how is it that I will be routed to the appropriate VLAN when connecting to my LAN over OpenVPN? For example, Say I VPN into my LAN and attempt to access my blue iris PC (192.168.2.10), Do i need to configure OpenVPN into assigning an address within VLAN 2 ? Or is this where ACLs come into play?

Any clarification on this would be appreciated.

I'm no expert, but, assuming you are using DEV TUN, aren't the subnet routes you push to your client defined within the server config file ?

The Automation Guy · Apr 14, 2020

During the VPN server setup process, you need to specify each IP range that you want to be able to access. So you will need to list both sets of address - 192.168.1.X/24 and 192.168.2.1/24. That is suppose to give you access to devices on both vlans when you VPN in.

That being said, I am going through this exact process right now and even though I put both sets of address in my VPN server setup, I cannot access the camera vlan. I can see both sets of addresses listed in the VPN config and status pages, but I still cannot access the BI server over VPN for some reason. The firewall rules are to "Allow All" on the VPN interface too.

scooter_trash · Apr 16, 2020

The Automation Guy said:
...That being said, I am going through this exact process right now and even though I put both sets of address in my VPN server setup, I cannot access the camera vlan...

Ok, but can you access the other VLAN?

The Automation Guy · Apr 16, 2020

scooter_trash said:
Ok, but can you access the other VLAN?

My main LAN is 192.168.72.0/24. I have my cameras set up on a VLAN with an address range of 192.168.74.0/24. When I connect via the VPN, I can ping devices on both networks (72.x and 74.x) including the BlueIris server, but I cannot connect to the BlueIris server - either with the android app, or using the a browser. I have the 192.168.74.X:81 BI address listed in both the LAN and WAN addresses in the Android app - although it should be connecting using the LAN information. As soon as I disconnect from the VPN, I can connect using both the android app and browser with the same details (address, login, etc). When I use the VPN, my device shows up on the main LAN with a 192.168.72.0/24 address assigned by the DHCP server as expected. I can access all my other devices and web servers over the VPN connection, just not the BI webserver. Firewall rules are written to "Allow All" on the VPN connections on the router and the Windows Firewall is turned off on the BI server (for trouble shooting). I use pfSense as my firewall. I've also created a peer to peer VPN tunnel to another site that is up and running as well, but I make no attempt to access that network with the VPN connection in question, so it shouldn't make a difference (I'm just mentioning it to give a complete picture).

I actually just totally redid my network and created the VLANs (a bi-product of being stuck at home right now). Prior to this, everything was on my main LAN and accessing the BI webserver over VPN wasn't an issue. I reinstalled pfSense from scratch to ensure a clean start, so there is zero possibility of any lingering old rules, duplicated ports on VPN servers, etc.

At this point I'm at a loss why I can't connect over VPN. I can ping the BI Server, so I would think it should connect.

scooter_trash · Apr 17, 2020

So we don't hijack the OPs thread, perhaps you should start another?

The Automation Guy · Apr 20, 2020

I found the root of the problem I was having and I want to post it here so the OP doesn't fall into the same trap.

I had assumed that because the remote VPN device gets assigned an IP address in the LAN subnet, that I only had to list the LAN subnet (along with VLAN subnets as applicable) in the web server's "Limit IP Addresses" list (found in Settings/Web Server/Advanced Settings). This was wrong however and I needed to list the tunnel subnet as well. As soon as I put the actual tunnel subnet (as set in the VPN server settings), I could connect to the cameras just fine.

So don't forget to list the tunnel IP subnet in the "Limit IP Addresses" list if you use it (and I would suggest that you do).

SouthernYankee · Apr 20, 2020

@The Automation Guy

A couple of screen shots of your configuration would help. Thanks

scooter_trash · Apr 20, 2020

It was a blue Iris config effort, not an OpenVPN config effort. That was the next logical place since you could ping BI server from remote VPN client. Good job!

The Automation Guy · Apr 23, 2020

SouthernYankee said:
@The Automation Guy

A couple of screen shots of your configuration would help. Thanks

Here you go.

I use pfSense for my router/firewall. The first image is a screenshot of a portion of the VPN configuration page. It shows the tunnel address at the top (10.1.72.0/24) and the local IPv4 addresses for all of the VLANs I want the VPN to access on my network.

The second image is the Blue Iris "Limit IP Addresses" page where I had to make sure I listed not just the regular LAN, but also the tunnel addresses for the two VPN setups I have (the second address matches the tunnel address listed in the first image).

I hope that helps someone set their system up correctly.

Search

Remote Access with OpenVPN across 2 Vlans

MrRouter

n3wb

scooter_trash

n3wb

The Automation Guy

Known around here

scooter_trash

n3wb

The Automation Guy

Known around here

scooter_trash

n3wb

The Automation Guy

Known around here

SouthernYankee

scooter_trash

n3wb

The Automation Guy

Known around here