[HOWTO] PacketSquirrel VPN to LAN routing without OpenVPN AS

[Lux Æterna]

Hi all,
several months ago I wrote a guide on how to seamlessly connect OpenVPN clients to the PS' LAN (e.g. your laptop from your home connection connecting to a printer in the same LAN as the PS, without having to use SSH as a proxy), but due to OpenWRT's preconfigured firewall I missed some iptables configurations to make it work properly (thank you @m3t4lk3y for pointing this out). So I figured I'd write a new, corrected standalone post.
This is useful to manage remote subnets from anywhere with more than one VPN client (as this OpenVPN AS feature is paywalled, also this is completely headless, no clunky web interface required)
A word of caution: since we're going to push routes to your computer and 90% of common subnets are either 192.168.0.0/24 or 192.168.1.0/24 I advise you change your home/most used network to something a bit more uncommon, like 192.168.57.0/24, as to avoid overlapping.
I'm going to assume an OpenVPN server is already set up and running.
So, let's say that my home network is 192.168.57.0/24 and I want to use a PS to manage target network 192.168.0.0/24. Let's also assume my VPN subnet is something like 10.9.20.0/24, and that your computer and PS when connected to the VPN have the IPs 10.9.20.4 and 10.9.20.8 respectively.
On my VPN server I need to create a new folder to contain client specific directives.

mkdir /etc/openvpn/ccd

In this folder I'm going to create a file that's named exactly like the client name I used when I created a certificate for the PS (this is important, if you don't otherwise it's not going to work). I'm going to assume it was packetsquirrel
 

echo "iroute 192.168.0.0 255.255.255.0" > /etc/openvpn/ccd/packetsquirrel

This tells OpenVPN that the route 192.168.0.0/24 is going to flow through this specific client.
Then you need to edit your openvpn's server.conf

client-to-client						# allows VPN clients to communicate with each other
client-config-dir /etc/openvpn/ccd/		# specifies the folder we created earlier as client-config-dir
push "route 192.168.0.0 255.255.255.0"	# pushes the route 192.168.0.0/24 to every connected client
route 192.168.0.0 255.255.255.0			# adds this route to the OpenVPN server itself

Once you've done that restart your OpenVPN server.
If everything went smoothly you should be able to SSH into the PS directly with "ssh root@10.9.20.8".
Do that, and from inside the PS run this commands (assuming your WAN interface in the PS is br-lan, if not it should be eth1, depending on your PS' network configuration):

# Packets flowing from 10.9.20.0/24 (tun0) to 192.168.0.0/24 (br-lan) should be accepted and forwarded
iptables -I FORWARD -i tun0 -o br-lan -s 10.9.20.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Masquerade packets coming from 10.9.20.0/24 as coming from the PS' WAN IP 
iptables -t nat -I POSTROUTING -o br-lan -s 10.9.20.0/24 -j MASQUERADE

If everything went smoothly you should be able to seamlessly reach every device on the target's LAN (e.g. 192.168.0.1 for the router).
Keep in mind that iptables rules are volatile, meaning they will be reset should the PS get rebooted. I could have put the configurations on the config files but seen the portable/multifunction nature of the device I'd rather run it by hand than possibly breaking the defaut network configurations intended by Hak5.

[GrineUlf]

@Lux Æterna Thanks for the awesome explanation, I am attempting this right now, but for some reason it still is not working. I can easily reach the PS, and the PS can access the network it is located on. But I can't seem to access the network from my home computer.

I followed the instructions you gave to the letter, but for some reason it doesn't work. Am I missing something? Where would you advice me to look?

Thanks in advance :)

[GrineUlf]

Never mind ? I found the solution after browsing a lot on the forum. The solution that worked for me can be found here (in case others are looking for a solution to the same problem):