Unable to access PVE from VPN but can access guests

[maigoultd]

After implementing a temporary PPTP VPN while i wait for a firewall appliance, i am unable to access PVE from the VPN network. What is odd is that i can access guests, which are on the same subnet.

PVE is 192.168.0.200
Guests are 192.168.0.2XX

VPN is 192.168.2.2-192.168.2.10

Both are connected to the same router/gateway, 192.168.0.1.

Firewalls are disabled

 

[shrdlicka]

Hi,

are you running the VPN server in a Container/VM? How does your /etc/network/interfaces look?

 

[maigoultd]

Hi,

are you running the VPN server in a Container/VM? How does your /etc/network/interfaces look?

It's running on my router (192.168.0.1), a (rather underpowered) Archer C7v5 which i am replacing with said fw appliance.




This is the output of interfaces.

I should also note that i changed the DHCP scope of the VPN network to be on the same subnet as PVE and i was able to access it. While this will work as a temporary solution i'd like to find the root cause as to why this may be happening.

 

[shrdlicka]

Are your guests getting an IP via DHCP or do they have fixed ones?

 

[maigoultd]

Fixed

 

[shrdlicka]

I would guess this was caused by some route issue on the router ... since you didn't change anything on the Proxmox host ...

 

[maigoultd]

Fair, it was just odd that i was able to access the guests and not the hosts. Thanks!

 

[Bent]

I assume your issue is that packets reach your HV but your HV does not know where to send the reply as your VPN is likely a separate network.

To cope with that you could add a custom route to correctly send the replies back to your VPN address:

auto vmbr0
iface vmbr0 inet static
    address <your_host_ip>/<cidr>
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

        up route add -net <your_vpn_network>/<cidr> gw <your_vpn_server_address>

Let me know if you need a more in depth explanation / example.