Openvpn routing for lan to lan through tun
I am trying to setup an OpenVPN tun to connect two lan's
The open vpn connection is up and working but there is a problem with my routing or nat or something.
What I need is an example of what a working, routed openvpn setup should look like on the server and client side. Mainly routing tables, Nat translation, firewalls etc.
Here is what I have working:
My OpenVPN Client can access the network on the server side but my server can't even ping my OpenVpn Client's eth0
My Servers routing:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.3.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
My Clients routing:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.64.64.64 0.0.0.0 UG 0 0 0 3g-wan
10.8.0.0 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 3g-wan
192.168.1.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
This is automatically setup by openvpn using the:
push "route 192.168.1.0 255.255.255.0"
route 192.168.3.0 255.255.255.0
route 192.168.4.0 255.255.255.0
and iroute command in the client-config-dir
If anyone can suggest something I need to check I would be very grateful Alex
Edit 1#
OpenVPN Server Config:
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
client-to-client
route 192.168.3.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
route 192.168.4.0 255.255.255.0
push "route 192.168.4.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
chroot /etc/openvpn
group nogroup
daemon
persist-key
persist-tun
status openvpn-status.log
verb 3
In /etc/openvpn/ccd/flexo_client
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0
Edit 2#
I have this working, see here for the solution:
https://forums.openvpn.net/topic15768.html
OP posted the answer on forums.openvpn.net
Use this server config:
port 1194
proto udp
dev tun
topology subnet
mode server
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # flexo_client,10.8.0.4
client-config-dir ccd
client-to-client
#ifconfig 10.8.0.1 255.255.255.0
route 192.168.3.0 255.255.255.0 10.8.0.4
route 192.168.4.0 255.255.255.0 10.8.0.4
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
keepalive 10 120i
comp-lzo
user nobody
chroot /etc/openvpn
group nogroup
daemon
persist-key
persist-tun
status openvpn-status.log
verb 3
With this /etc/openvpn/ccd/flexo_client
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0
and this client config:
config openvpn 'flexo_client'
option nobind '1'
option float '1'
option client '1'
option comp_lzo '1'
option dev 'tun0'
option verb '3'
option persist_tun '1'
option persist_key '1'
option remote_cert_tls 'server'
option remote 'x.x.x.x'
option proto 'udp'
option resolv_retry 'infinite'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/flexo_client.crt'
option key '/etc/openvpn/flexo_client.key'
option ns_cert_type 'server'
option topology 'subnet'
option enable '1'
More information on using OpenVPN and iroute can be found on backreference.org