How to Setup OpenVPN as Internet-Gateway and Connection between multiple Private networks on Virtualized Server

routing openvpn

I am trying to implement the following:

  • Network A (e.g. 192.168.1.0/24) with Router (192.168.1.254)
  • Network B (e.g. 192.168.2.0/24) with Router (192.168.2.254)
  • Online vServer for VPN (e.g. 172.217.2.7) with VPN network (10.8.0.0/24)
  • Client A (e.g. on Public Wifi)
  • Client B (e.g. on some other Private Network)

I want that All Networks and Clients to initialize a OpenVPN connection on My Server and all clients should be able to see the other clients/Networks over the vpn.

I also want all internet traffic of the clients (that are no routers) to be routed over the server (For Safe Browsing) and I want also that the clients are able to reach hosts inside the Private Networks "Network A" and "Network B" (and vice versa)

The Networks should only route the data that is addressed to vpn clients and hosts behind the other networks over the vpn as well

I would configure the routers of the networks to route:

  • 192.168.X.0/24 (where X is the own local network) local
  • 192.168.0.0/16 over the vpn.
  • 10.8.0.0/24 over the vpn
  • 0.0.0.0/0 over the internet (everythinge else...)
  • Firewall: NATting to Public IP for Internet, no NATting for VPN

Are my Routes correct?

Now the real Question: How do I set up the OpenVPN server and the Firewall Roules. My Server is a Strato virtual private server with Ubuntu 14.04 64 Bit.

Should I set up NAT as internet gateway for all clients and just ignore the nat on my Routers (routing as described above)? How Do I let the clients communiate with each other? And the most difficult: How do I set up the forewaring of the Packets for hosts inside of the networks over the vpn

Examples:

Client B <=> VPN <=> Router for Net A <=> Host in Net A 
Host in Net A <=> Router Net A <=> VPN <=> Router Net B <=> Host in Net B
Server that hosts VPN ("internal IP") <=> VPN <=> Some Host behind a router
Server that hosts VPN ("internal IP") <=> VPN <=> Client

# Not that important, but would be cool:
Client A <=> VPN <=> Client B

What else do I neet to set up that i might have forgotten above?


1Have you enabled IP forwarding?

sudo vi /etc/sysctl.conf #uncomment net.ipv4.ip_forward and set = 1

net.ipv4.ip_forward = 1

sudo sysctl -p

If you are using TUN then there is a tunnel IP address that your client has. The default pool is 10.8.1.0/24. Unless your router knows about the tunnel IPs and has routes for them, you need to masquerade (NAT) the IP addresses of the tunnels so that the OpenVPN Server will rewrite the source address to be itself. It seems like you may have this covered by your mention of routing 10.8.0.0/24.

sudo apt-get install iptables-persistent
sudo iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'

Related

Kerberos service started with Error: Cannot open DB2 database on Ubuntu 18
Restrict web access on apache web server to FreeIPA users
Can a server with no public IP interface be a NAT?
Lets encrypt with lighttpd and wordpress
TLS 1.2 with RSA vs ECDSA Ciphers
azure AD connect certicate [closed]
Do the tld name servers cache the authoritative name servers? For how long?
How to access iDRAC from outside network. or through DDNS
MySQL databases vanished on our VPS (DigitalOcean)
Nutanix AMD-V - hardware assisted virtualisation
Access a node from different subnet
Running desktop software as a "service"