For queries about your TalkTalk broadband service.
on 09-05-2022 12:59 PM
Hi
I am running an OpenVPN server on a Windows 11 PC behind my talktalk router (IP range 192.168.65.0/24) so I can remotely access my home network. This OpenVPN server hands out 10.8.0.0/24 addresses to clients connecting from the internet. I have made the PC that runs the OpenVPN server promiscuous, so it will forward connections from the remote OpenVPN client to other devices (with 192.168.65.X IPs) on the talktalk LAN.
I can successfully connect to the actual OpenVPN server (ping, RDP etc.). However, the other LAN devices need to know how to route back to the 10.8.0.0/24 client for their connections/services to work. I tried adding a static route on the talktalk router so that any 10.8.0.0/24 addresses coming back to the talktalk router/gateway LAN interface were passed to the OpenVPN server local address, to be routed back to the 10.8.0.0/24 client rather than dropped. However, this doesn't appear to work.
To get this to work, I'm currently having to add individual routes into each machine routing tables that I want to connect to remotely. So, for instance, if I add a route to the actual local device routing tables:
route ADD 10.8.0.0 MASK 255.255.255.0 192.168.65.(Router localIP)
Then the 10.8.0.0/24 packets are forwarded to the OpenVPN server and the remote VPN client receives the packets back correctly. I'd really rather not to have to add routes to each machine on the LAN and would rather the talktalk router/gateway pushed 10.8.0.0/24 address back to the OpenVPN server.
How am I supposed to tell the talktalk router/gateway (192.168.65.1) to pass any 10.8.0.0/24 packets received on it's LAN interface to the OpenVPN server to deliver them to the remote client? Adding a static route in the talktalk router doesn't seem to work (i.e. none of IP_BR_LAN, IP_DATA, IP_STATIC) e.g.:
IP version Destination IP address Interface Gateway IP Address Metric Origin
IPV4 10.8.0.0/24 IP_BR_LAN 192.168.65.(routerlocalIP) Auto Static
Thanks
DJ
on 10-05-2022 12:54 PM
My problem is that I have no way of testing static routes anymore with the kit I have at my disposal. At work I used to have a very comprehensive lab of all sorts of networking kit & could simulate just about anything.
Until V130 firmware on the Sagemcom it was impossible to save static routes at all, so if I had a way of testing them, they were gone as soon as you left the page. So there was no way of testing them to see if they even worked at all. Now they do save OK, it has only just made it possible to test them, but until I can understand the interface names there is not much point in me trying to do this.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 10-05-2022 12:24 PM
OK great. Just to explain why I'm using routing rather than bridging...
Android and iOS VPN APIs only support TUN/routed tunnels on Layer 3 at the moment, meaning if I tried to use a TAP based bridging tunnel neither android phones nor iOS devices will be able to connect to the VPN.
"Without such changes to the VpnService API, it is not possible for non-root apps such as OpenVPN Connect to support TAP-style tunnels."
Bridging would be preferable if I was just using Linux/Windows PC remote clients because, as you say they would simply be given an address on the remote LAN address range and everything would be simple and the remote devices would have access to broadcasts and all services as if they were on the LAN. Because I want to be able to connect my phone to the remote LAN the connection has to be a routed tunnel on Layer 3
Regards
DJ
on 10-05-2022 11:23 AM
As I said I will come back to you when I have an answer. In my years of working with VPN servers, I have never seen them implemented like you are trying to do.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 10-05-2022 11:10 AM
Hi
Yes, obviously I did an internet/google search for information on the various route interface types on the SAGEMCOM router and found pretty much nothing. However, (I think) I have tried all relevant interface types (at least IP_STATIC, IP_BR_LAN and IP_DATA) and none appear to allow me to route 10.8.0.0/24 destination packets arriving at the routers LAN interface to the OpenVPN server as the appropriate gateway for that address range. I tried IP_BR_LAN first, since at least it implied it was looking at the routers LAN interface rather than it's WAN interface. I assume the IP_IPTV and IP_IPTV_MULTI are only relevant for talktalks IPTV product offering.
Perhaps it's just not possible to do what I'd like to achieve, but it would be good to know what the various Static route interfaces are supposed to used for and what actual router interface (LAN/WAN) they are routing from.
DJ
on 10-05-2022 10:45 AM
Before I can really answer your question, I am trying to find out exactly what each interface name is, when adding routes. Internet searches seem to suggest that IP_BR_LAN might be a bridged LAN interface, which, if correct, will not work anyway as you are routing, not bridging. I am waiting on the TT products team to come back to me on this, as it is not documented anywhere & other internet searches do not give any reliable information. When I know what they are, I'll come back to you.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 09-05-2022 05:56 PM
Hi
I'm certainly not a networking expert, but I believe this is how OpenVPN works when using routing rather than its "ethernet bridge mode" by using a virtual tunnel (TUN) with virtual adapters on the server/client to allow multiple clients to connect to a single server TCP/UDP port.
Quote "Routing provides a greater ability to selectively control access rights on a client-specific basis."
The OpenVPN server has a virtual adapter on a different private address range from the one on it's LAN and hands out IPs to the remote clients in that alternative private address range. In this case, I'm using the default OpenVPN settings for the virtual address range of 10.8.0.0/24. The remote client is given the OpenVPN server's WAN domain name/IP address in its configuration, and it connects to the server through a port. I'm using port 443 and it is port forwarded through the talktalk router/gateway to the OpenVPN server LAN address. The OpenVPN server then doles out an address to the remote client in the virtual adapter range, e.g. 10.8.0.2. Now the OpenVPN server and client can connect and I can RDP/ping etc. between them.
However, for the remote client to see the other devices on the talktalk LAN then the OpenVPN server must forward the remote client's request to connect to the talktalk LAN address range (192.168.65.0/24) via forwarding. The talktalk router/gateway then provides the final route to the local machine. However, the source is from the 10.8.0.0/24 address range that the talktalk gateway/router knows nothing about, so drops any packets to that range. What needs to be done is that any packets originating with a 10.8.0.0/24 destination address must be passed to the OpenVPN server's local address 192.168.65.3 for translation as the GW for that address range.
If the local LAN router/gateway was a linux box rather than the talktalk router this could be done using iptables e.g.
iptables -A PREROUTING -t mangle -i <LAN_interface> -d 10.8.0.0/255.255.255.0 -j ROUTE --gw 192.168.65.3
I would like to do something similar where I can make the talktalk router/gateway route any such 10.8.0.0/24 addresses to the OpenVPN server at 192.168.65.3 for routing rather than dropping them. I thought I would be able to do that as a static route of 10.8.0.0/24 addresses from the talktalk routers LAN interface to the OpenVPN server, but it doesn't appear to work.
At the moment, to get the 10.8.0.0/24 destinations routed correctly from local machines to the remote VPN client, I have to add a route in each machine between the 10.8.0.0/24 destination and the OpenVPN server at 192.168.65.3. Putting these individual routes allows the remote client to interact properly with the machines on the talktalk LAN but is a pain and only works for devices that I can set routes for.
My route table currently looks like this:
Thanks
David
on 09-05-2022 03:10 PM
There are two WiFi hubs and they are totally different. Your subject title did not state which one you had, so thank you for telling me that you have the Sagemcom.
VPN servers in a commercial environment hand out IP addresses on the same subnet as the router, not a totally different private IP address. Of course, this does not mean that they can't do this, it is just that if you connect to an office VPN server, you are put on the same IP network as that office.
Have you tried this just using the one subnet as above or do you have a particular reason for using the network 10 address as well?
Please can you include a screenshot of your routing table (PM it to me if you prefer) and I will see what I can work out?
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 09-05-2022 02:10 PM
Hi
Like it says in the subject, it's the Wi-Fi Hub model aka Sagemcom Fast 5364 3.00. The SW firmware version is SG4K100136 and GUI 5.6.1
After all the info given in the original description, I forgot to give this 🙂
I think I just need to know is how to get the FAST 5364 router/gateway to forward 10.8.0.0/24 packets arriving on it's LAN interface to the OpenVPN server at 192.168.65.3 so I don't have to set a whole bunch of persistent routes on all devices connected to the LAN.
Thanks
David
on 09-05-2022 01:23 PM
Hi @Pledget
@Karl-TalkTalk has asked me to help you with this static route problem. Which TalkTalk router are you using & which firmware version is it running?
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 09-05-2022 01:20 PM
Hi
I've no idea on this, but I know someone who will.
@KeithFrench . Do you have the answer to this one ?
Thanks
Karl.
Check & Report l Our latest Blog l Set Your Preferences l Service Status l Help with your Service l Community Stars
Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.