Unable to access host and guests on PVE from an OpenVPN client

[Sandbo]

Hi,

I am new to PVE and I am starting to explore the interface.
On my server where PVE was installed, I created a guest with ubunut 18.04 installed. They all sit on a subnet of 192.168.3.0/24
My desktop sits in 192.168.2.0/24. I have no problem accessing the web interface of the PVE. SSH to the guest ubuntu also works perfectly.

However, any connection attempt from an OpenVPN client on a subnet 10.8.0.0/24 failed to reach the PVE, I could not open the web interface nor could I ping/SSH the PVE. The guest ubuntu was inaccessible either.
The OpenVPN connection is working as expected, I could access other computers in the LAN network (any subnet), except that I cannot access the PVE and what it contains.

Any idea what could be missing?
I tried to do "pve-firewall stop" to stop the firewall, but still I cannot connect through OpenVPN to the PVE.

Thanks.

 

[wolfgang]

Hi,

With this information, nobody can help you.
Because you do not tell where the OpenVPN endpoint is.
Or how you network setting are.

 

[Sandbo]

Hi,

With this information, nobody can help you.
Because you do not tell where the OpenVPN endpoint is.
Or how you network setting are.

Sure, I am happy to provide more information.
I am not an expert in networking, so it will be good if you can help me with what is needed.

1. What do you mean by OpenVPN endpoint?
I am using an OpenVPN server setup in ClearOS (derived from CentOS). I could connect from anywhere to the router (192.168.1.1) and see all my LAN devices (over 192.168.1.0/24, 192.168.2.0/24). I also enabled client-to-client so devices within the 10.8.0.0/24 subnet of the VPN can connect to each other. The only thing being masked is the PVE host and the guests inside, when connected through the bridge.

I also realized that if I set a port-forward rule for my guest OS, say 192.168.3.191, to the WAN, I am able to connect from the WAN side without OpenVPN. So PVE's bridge is indeed working. But it is shielding OpenVPN clients from themselves for some reason.

2. How my network setting are. Could you elaborate on what I should give?
Here is my interpretation:
WAN-->Router with 4 NICs-->rest of devices
NIC 1-->WAN port
NIC 2-->switch-->192.168.1.0/24 subnet, connected to my servers
NIC 3-->Wireless AP-->192.168.2.0/24 subnet, connected to my desktop through WiFi
NIC 4-->192.168.3.0/24 subnet, connected to my PVE host.

Within the LAN (communication among the above subnets), I can connect from my desktop/server to the PVE host and gues.
Outside of the LAN, using OpenVPN, I connect from my office and my office computer gained an ip of 10.8.0.6 in the subnet of 10.8.0.0/24.
For example, I had to enable a rule in my server to allow access from 10.8.0.0/24 for connection from my office to my server to work.
I tried the same on the PVE but it did not help. (enabling/disabling a rule for 192.168.2.0/24 does work so I think the PVE firewall is doing something, but there is something in addition to that.)


Update:
I realized if I use OpenVPN's option to route all traffic:
redirect-gateway def1
I am able to reach the PVE via OpenVPN. So I guess it is a routing issue of OpenVPN when working with the Linux bridge. I will look into this.

 

[Sandbo]

Solved. It is a completely irrelevant issue to PVE.

It is actually I never updated the routing of the OpenVPN server. I was using a prebuilt and automatically managed OpenVPN app from ClearOS. Adding a new LAN subnet doesn't automatically add the routing between OpenVPN and the new subnet. I just had to restart the service for it to reconfigure.

Now I can connect to the PVE via OpenVPN without all traffic being routed.