Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hushcoden]

I was wondering if someone has an idea on how I can access my devices on LAN2 from LAN while connected through the (Proton)VPN.

I believe it's a routing issue, but I'm not able to fix it. I use OPNsense and the two devices I want to access are connected to interface LAN2: LAN is on 192.168.0.1/24 while LAN2 is on 192.168.20.1/24. I believe I should create some rules, but so far all my attempts (on WAN and/or LAN/LAN2 interface) have failed: any networking expert who can help me out?

Tia.

[aesmith]

Your LAN2, or rather its default gateway needs to have a route to whatever address your VON user has as their source. It's often the case, a problem is seen as "I can't reach XX" but the actual issue is that XX doesn't know how to reply.

[hushcoden]

I reckon when I run the VPN on my laptop, the communication is encrypted and OPNsense can't see I'm trying to reach out a device on a different subnet?

Just waffling    Unfortunately I'm not good at networking... 

[Alex Atkin UK]

Am I to understand its OPNsense connected to ProtonVPN?
Have you configured OPNsense to allow LAN1 & LAN2 to talk to each other WITHOUT ProtonVPN first?

You need Outbound NAT rules that allows LAN1 and LAN2 to talk to each other.
Basically:
Source LAN1, Interface LAN2, NAT address LAN2. (for LAN1 to access LAN2)
Source LAN2, Interface LAN1, NAT address LAN1. (if you need LAN2 to access LAN1)

Then the Rules to actually route clients from LAN1 over the LAN2 gateway when the destination IP is LAN2, vice versa if necessary.

You wont automatically see LAN2 clients from LAN1, you will have to access them by IP address as broadcasts will not pass between the two subnets.

[aesmith]

I reckon when I run the VPN on my laptop, the communication is encrypted and OPNsense can't see I'm trying to reach out a device on a different subnet?

Do you mean your laptop is on LAN, running the VPN software on the laptop? Is so then that sounds correct, anything your laptop sends will be encrypted and sent to the VPN. The products I work with call this a "full tunnel". Does the software allow exclusions, where you can tell it that traffic for LAN2 can go direct and bypass the VPN?

[Alex Atkin UK]

Do you mean your laptop is on LAN, running the VPN software on the laptop? Is so then that sounds correct, anything your laptop sends will be encrypted and sent to the VPN. The products I work with call this a "full tunnel". Does the software allow exclusions, where you can tell it that traffic for LAN2 can go direct and bypass the VPN?

Agreed, if the VPN is on the PC then its normal for commercial VPN clients to force all traffic over the VPN to avoid security holes.  Although if its a standard Wireguard or OpenVPN client I don't think they block local LAN access.

This is one reason I have the VPN on the router, then policy route clients - that way the LAN is unaffected and the router has full control over what traffic goes where.  Router DNS rules can still apply and anything upstream goes to Cloudflare DNS over TLS.  I consider that safer and faster than doing DNS over a VPN provider anyway.

That does make things a bit more complicated if region unblocking, although I find DNS is not often used for this these days, its more down to what region the source IP appears to be coming from.

[hushcoden]

Yes, the VPN is running on my laptop - okay then, so no way around, unless I run the VPN within OPNsense itself, thanks everybody.

[XGS_Is_On]

I was wondering if someone has an idea on how I can access my devices on LAN2 from LAN while connected through the (Proton)VPN.

I believe it's a routing issue, but I'm not able to fix it. I use OPNsense and the two devices I want to access are connected to interface LAN2: LAN is on 192.168.0.1/24 while LAN2 is on 192.168.20.1/24. I believe I should create some rules, but so far all my attempts (on WAN and/or LAN/LAN2 interface) have failed: any networking expert who can help me out?

Tia.

You put a route on the laptop itself with a better metric than the VPN pointing to that subnet. Nothing to do with OPNsense it never sees your attempt to reach that network so no rules there would help.

That's how you do it - a permanent route pointing to your regular LAN's default gateway so that the packets are sent to OPNsense not the VPN.

[hushcoden]

That's how you do it - a permanent route pointing to your regular LAN's default gateway so that the packets are sent to OPNsense not the VPN.

Okay, so in Windows something like

Code: [Select]

route -p add destination_network MASK subnet_mask  gateway_ipand will I still be able to route my laptop traffic trough the VPN?

[XGS_Is_On]

Apart from that network absolutely. The route only selects that destination network, everything else should fall through to VPN.

May not work: the VPN may have a driver that preempts the machine's routing but that's how you'd do it assuming the VPN isn't playing other games under the Windows network stack.

[hushcoden]

It seems to be working with my laptop connected through ProtonVPN by running the following command:

Code: [Select]

route add 192.168.20.0 MASK 255.255.255.0 192.168.0.1
having my laptop on 192.168.0.7 and the raspi on 192.168.20.50

Should I be concerned of any possible security holes somewhere? Are there any checks I can/should perform?

P.S.
special thanks to XGS_Is_On

[XGS_Is_On]

No security issues. It just bypasses the VPN for your local network which is frankly what should happen anyway.

They like to encapsulate everything to prevent DNS leakage however unless your DNS is in your local network you're fine. If you are hosting DNS in your local network as long as you're using DNS over HTTPS for your upstream DNS, the ones your local DNS server is consulting, you're cool.

Test with https://www.dnsleaktest.com/

[hushcoden]

DNS test is fine, I get the Proton IP addresses 

On the raspi, I'm running AdGuardHome + Unbound: all clients DNS requests go to ADG -> Unbound -> root servers directly, it should be fine? Do I really need Dot or DoH?

[XGS_Is_On]

Not really, no.

Thought DNS would work as expected: nice.

[Alex Atkin UK]

Surely it depends what you are using a VPN for in the first place?