Issue with LAN routing when using VPNs

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

jackjack4

New Member
May 28, 2023
1
0
1
home network.png
Hello. I'm having issues with remote user being able to access the server (.203) when connecting over VPN. The server is constantly connected to a 3rd party VPN provider, used for all external access. This interface is the default route (0.0.0.0 tun1).

Internal clients, A and B, can access the sever without issue. A & B do not use any VPN; their default route is to the router and out to ISP.

When a remote user connects to the router via VPN, it acquires an IP in the same subnet as everything else. The idea was that if it had the same subnet-IP, routing would be simple. But, the remote user cannot ping/ssh/smb to the server. Remote user can ping/ssh to A & B, but not to server.

I feel this has something to do with routing priority on the server but I'm not sure how to handle that. The server already has a route for the LAN but for whatever reason, it's not used by remote client's attempts. I don't know how to confirm this, but my suspicion is that packets from remote user reach server, but the response packets are going out via tun1 which is not correct; they should go out eth0.

What sort of network config do I need so that remote user can access the server when connected to the LAN via VPN?
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Using the same subnet for a VPN (TUN mode) will probably not make things easier, because now you have devices holding IPs in the same subnet but in different broadcast domains.

One issue with a setup like this is ARPs - Since they are not in the same broadcast domain, ARP IP-to-MAC resolution will not work properly. Devices on the same subnet are assumed to be in the same broadcast domain, but in the case of a VPN this isn't true. If you want your remote users to be in the same subnet, use a TAP instead of a TUN VPN. Then your existing DHCP and such will service your remote clients.

For this config to work, the VPN server needs to be configured to Proxy ARP. See this question: OpenVPN: How to issue client IP on the same subnet as the server LAN

Try to ping your remote clients from the .203 server, then check the ARP cache on the .203 server to see if your remote clients are in there.

Also use tcpdump to capture some traces to see what's going on. You will need to capture the broadcasts too to see the ARPs.

But to save yourself that trouble, just use a TAP type VPN, or use a different subnet, that way you can properly create routes that inform routers where to send the packets for your remote users instead of relying on proxying ARPs between 2 broadcast domains.