OpenVPN > Caddy > Access List

Started by NeoDragon, March 08, 2025, 05:58:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2025, 05:58:24 PM
Hi everyone,

I'm trying to make Caddy access list work thru the openvpn instance but having difficulties.

OpenVPN instance works, I can access local ip's within local network. However, caddy does not recognize the openvpn connection as a local network connection but rather as the WAN connection of the user, so it is block by the access list.

I tried setting the openvpn instance with different redirect gateway option but it still does not work. The connection either gets timeout and nothing appears on the caddy log file, or the connection is blocked because it's being recognized as an outside ip instead of a local network one.

Anyone can help? 
March 08, 2025, 06:24:09 PM #1
What is the destination address the VPN user tries to access with their browser? Is that part of the VPN tunnel?

E.g. if as one frequently does

- you have your external IP address as myapplication.mydomain.com so Caddy can take care of Letsencrypt and things
- additionally you have a VPN tunnel with RFC 1918 IP addresses and "local networks" set to your LAN and possibly other local addresses

then a browser connecting to myapplication.mydomain.com will use the current Internet uplink of the device in question and not the VPN tunnel.

So it's important that you give the complete topology including addresses - you might hide the external one if you are concerned about that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 08, 2025, 06:56:28 PM #2
Here's the topology:

Lan Networks
- 192.168.1.0/24
- 192.168.2.0/24
- 192.168.3.0/24
- 192.168.4.0/24

VPN Network
- 192.168.50.0/24

myapplication.mydomain.com and caddy are on the local network, 192.168.1.0/24

OpenVPN Routing option has all lan networks added in local network tab
March 08, 2025, 08:21:50 PM #3
And the Caddy access list includes 192.168.50.0/24?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 08, 2025, 09:13:09 PM #4
Yes, 192.168.1.0/24 , 192.168.2.0/24 , 192.168.3.0/24 , 192.168.4.0/24 , 192.168.50.0/24 are in caddy access list
March 08, 2025, 09:16:25 PM #5
Get out the big guns - use tcpdump and trace from source to destination interface by interface what is happening ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 08, 2025, 10:32:42 PM #6
Id say split tunnel and the request does not go through the VPN tunnel due to DNS being resolved to external IP.
Hardware:
DEC740
Print
Go Up Pages1
User actions