Routing issue In OpenVPN

routing openvpn

Below is my openVPN network topology. This is an example in openvpn cookbook. Topology here is my server config file(fedora is server):

proto udp
port 1194
dev tun
server 192.168.200.0 255.255.255.0

ca /etc/openvpn/cookbook/ca.crt
cert /etc/openvpn/cookbook/openvpnserver.crt
key /etc/openvpn/cookbook/openvpnserver.key
dh /etc/openvpn/cookbook/dh2048.pem
tls-auth /etc/openvpn/cookbook/ta.key 0

keepalive 10 60

push "route 192.168.4.0 255.255.255.0"
topology subnet

daemon
log-append /home/mazimi/Desktop/openvpn.log

client-config-dir /etc/openvpn/cookbook/clients
route 192.168.2.0 255.255.255.0 192.168.200.1

Here is /etc/openvpn/cookbook/clients file:

iroute 192.168.2.0 255.255.255.0

This is my openvpn client(ubuntu):

client
proto udp
remote 192.168.3.1
port 1194
dev tun

ca /etc/openvpn/cookbook/ca.crt
cert /etc/openvpn/cookbook/client1.crt
key /etc/openvpn/cookbook/client1.key
tls-auth /etc/openvpn/cookbook/ta.key 1

daemon
log-append /root/openvpn.log

ns-cert-type server

This configuration is working fine. But why the next hop is set to 192.168.200.1?(it is a local interface not next-hop). Shouldn't it be 192.168.200.2? I changed it to 192.168.200.2. The only difference is that:

  1. I can not ping ubuntu's interface(192.168.3.254) from client1
  2. I can not ping fedora's interface(192.168.3.1) from client2 All other IPs are reachable.

Could someone explain?


Solution 1:

I believe the 192.168.200.* IPs are artifacts of how OpenVPN tunnels actually work. OpenVPN in this configuration is essentially point-to-point, and each point gets its own IP address. When you route through the tunnel, you have to specify the near end of the tunnel. Think of these IPs as being internal to the way OpenVPN works (for my own clarification, I assign an entirely different non-routable block, e.g., 10.0.0.0/8, if my network is 192.168.0.0/16; the 10.0.0.0/8 IPs only exist for OpenVPN as far as I'm concerned).

In contrast, with at TAP interface, you'd actually get the IP of the LAN you're bridging to assigned to OpenVPN.

I'm sure it's somewhere in the FAQ, but I don't see it at a quick glance.

Related

Install a specific package version in CentOS
openvpn: auth-user-pass or (and?) passphrase?
Assign two static IP addresses to one mac address
.htaccess 301 redirect, same server
LInux: How do I diagnose / isolate what's causing "random" hangs and spontaneous reboots?
Setting up SSL virtual hosts in Apache
CentOS or OpenSolaris for Xen dom0?
SHUTDOWN /S /M \\RemoteMachine and windows updates?
Forward all TLD requests to another server
GCC missing from Solaris 11, and server already deployed (no access to internet)
What is the best method to determine an account through DNS A record configuration?
How to use chown command in PHP?