Jump to content

[HOWTO] PacketSquirrel VPN to LAN routing without OpenVPN AS

Lux Æterna

Recommended Posts

Hi all,
several months ago I wrote a guide on how to seamlessly connect OpenVPN clients to the PS' LAN (e.g. your laptop from your home connection connecting to a printer in the same LAN as the PS, without having to use SSH as a proxy), but due to OpenWRT's preconfigured firewall I missed some iptables configurations to make it work properly (thank you @m3t4lk3y for pointing this out). So I figured I'd write a new, corrected standalone post.
This is useful to manage remote subnets from anywhere with more than one VPN client (as this OpenVPN AS feature is paywalled, also this is completely headless, no clunky web interface required)
A word of caution: since we're going to push routes to your computer and 90% of common subnets are either or I advise you change your home/most used network to something a bit more uncommon, like, as to avoid overlapping.
I'm going to assume an OpenVPN server is already set up and running.
So, let's say that my home network is and I want to use a PS to manage target network Let's also assume my VPN subnet is something like, and that your computer and PS when connected to the VPN have the IPs and respectively.
On my VPN server I need to create a new folder to contain client specific directives.

mkdir /etc/openvpn/ccd

In this folder I'm going to create a file that's named exactly like the client name I used when I created a certificate for the PS (this is important, if you don't otherwise it's not going to work). I'm going to assume it was packetsquirrel

echo "iroute" > /etc/openvpn/ccd/packetsquirrel

This tells OpenVPN that the route is going to flow through this specific client.
Then you need to edit your openvpn's server.conf

client-to-client						# allows VPN clients to communicate with each other
client-config-dir /etc/openvpn/ccd/		# specifies the folder we created earlier as client-config-dir
push "route"	# pushes the route to every connected client
route			# adds this route to the OpenVPN server itself

Once you've done that restart your OpenVPN server.
If everything went smoothly you should be able to SSH into the PS directly with "ssh root@".
Do that, and from inside the PS run this commands (assuming your WAN interface in the PS is br-lan, if not it should be eth1, depending on your PS' network configuration):

# Packets flowing from (tun0) to (br-lan) should be accepted and forwarded
iptables -I FORWARD -i tun0 -o br-lan -s -d -m conntrack --ctstate NEW -j ACCEPT
# Masquerade packets coming from as coming from the PS' WAN IP 
iptables -t nat -I POSTROUTING -o br-lan -s -j MASQUERADE

If everything went smoothly you should be able to seamlessly reach every device on the target's LAN (e.g. for the router).
Keep in mind that iptables rules are volatile, meaning they will be reset should the PS get rebooted. I could have put the configurations on the config files but seen the portable/multifunction nature of the device I'd rather run it by hand than possibly breaking the defaut network configurations intended by Hak5.

Link to comment
Share on other sites

  • 1 month later...

@Lux Æterna Thanks for the awesome explanation, I am attempting this right now, but for some reason it still is not working. I can easily reach the PS, and the PS can access the network it is located on. But I can't seem to access the network from my home computer.

I followed the instructions you gave to the letter, but for some reason it doesn't work. Am I missing something? Where would you advice me to look?

Thanks in advance :)

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...