Skip to main content

Tutorial: Reach OpenVPN Clients Directly from a Private Network

Abstract

How do you reach OpenVPN clients directly from a private network? We will show you how in this tutorial. Access Server makes it possible with routing.

Overview

This tutorial details how to use Access Server's routing feature to price access to connected VPN clients.

By default, Access Server uses network address translation (NAT) for packet routing on the VPN. NAT is the easiest way to grant access to resources on the same network as Access Server, such as file or web servers. However, NAT traffic is one-way: OpenVPN clients can reach resources on the private network behind Access Server, but you can't reach clients.

To provide direct contact with connected clients, you set up Access Server's routing.

Routing doesn't use address translation — Access Server forwards traffic coming from a VPN client in the VPN client subnet directly to the target private network. You must make the target network aware of where to reach the VPN client subnet.

You can do this by adding a static route to a gateway or in the target server's operating system.

Follow the steps below to configure routing and add the static route.

Tip

We recommend you use routing for Access Server configurations involving the VOIP protocol. It typically doesn't work with NAT.

Access Server uses NAT by default. To change to routing:

  1. Sign in to the Admin Web UI.

  2. Click Configuration > VPN Settings.

  3. Under Routing, click Yes, using Routing for Should VPN clients have access to private subnets (non-public networks on the server side)?

With routing enabled, you now have two-way traffic for Access Server, but you still need to correctly define route tables. That's because the target on the private network doesn't know how to respond to traffic from the VPN client subnet.

To add static routes:

  1. Take note of the VPN client subnet and the Access Server IP address. (For our example, the subnet is 172.16.47.0/24 and the server IP address is 192.168.47.222.)

  2. Look up the static route table in the default gateway system on your private network.

  3. Add the appropriate static route.

Example 3. Route example

Network 172.16.47.0 with subnet mask 255.255.255.0 to go through gateway 192.168.47.222


Traffic should now flow in both directions, from the VPN client subnet to the private network, and from the private network to the VPN client subnet.

If you have a high-availability setup using several Access Servers configured as a cluster, the routing and VPN client subnet features is more complicated. For details about how to use the Group Default IP Address Network to configure routing for a cluster configuration to reach connected clients see Group default IP address networks for Access Server.

Troubleshooting

Whenever you have trouble getting traffic to pass through with Access Server, you should try to determine the exact spot where things break. To visualize this we use tools like tcpdump and ping to find the point where traffic breaks. We describe this in detail on our troubleshooting reaching systems over the VPN tunnel page.