How can multiple clients of an openvpn server find each other?

I am bringing up an openvpn server that will support multiple clients into a private subnet. So on the private subnet the clients connecting will get IP addresses such as 10.8.0.10, 10.8.0.11, etc.

One of the facilities I need is for the clients to be able to find each other. Is there any easy and generally accepted way for a client to see the list of IP addresses has assigned to all clients?

I don't need DNS names or anything like that.


Solution 1:

In the OpenVPN server configuration file, a prerequisite is the following directive:

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

To facilitate the clients finding each other easily I would suggest dynamic DNS as the (just about) always present enterprise solution. To present a list of active clients you could perhaps either:

  • find a way of distributing or making available the openvpn-status.log to the clients?
  • distribute ping scripts or similar to clients, perhaps doing a reverse dns lookup for every live host?
  • have the clients register/deregister themselves in a custom db or file upon connection and have a scavenging mechanism of some sort. This alternative seems like totally reinventing the wheel, but no doubt it would be a fun way of spending an hour which adds nothing to the world of IT at large.

Solution 2:

Here is the original link supporting the OpenVPN 2.x client-to-client feature:

https://openvpn.net/index.php/open-source/documentation/howto.html#scope

Uncomment this directive to allow different clients to be able to "see" each other. By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface.

;client-to-client

Uncomment out the above client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.

Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.

client-to-client
push "route 192.168.4.0 255.255.255.0"

This will cause the OpenVPN server to advertise client2's subnet to the other connecting clients.