How to allow communications with client to client on OpenVPN Server?

docker debian vps openvpn

Client 1: 192.168.255.3 cannot ping Client 2: 192.168.255.4
How to do it so that Client 1 can communicate with the Client 2?

```

# cat /var/lib/docker/volumes/ovpn-data-example/_data/openvpn.conf

server 192.168.255.0 255.255.255.0
verb 3

key /etc/openvpn/pki/private/vpn.server.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn.server.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key

key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup

client-to-client
topology subnet

### Route Configurations Below
route 192.168.255.0 255.255.255.0

### Push Configurations Below
push "route 192.168.255.0 255.255.255.0"
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

I use openvpn on this docker and digital ocean vps.

Every client has no problems with connection to the server, but any client cannot ping another client.


You most likely need to make a firewall rule that allows the clients to communicate with one another. If you just want them to ping, you will need to allow ICMP packets through. If you want more than ping, you will need to specify additional rules. If you use iptables rules to allow cross-client communication, then get rid of the "client-to-client" in your openvpn configuration.

For example:

iptables -I INPUT -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m conntrack --cstate ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -s 192.168.255.3 -d 192.168.255.4 -p ICMP --cstate NEW -j ACCEPT
iptables -I FORWARD -s 192.168.255.4 -d 192.168.255.3 -p ICMP --cstate NEW -j ACCEPT

The first three rules tell the firewall to allow connections that are related to already established connections

The last two allow ICMP (ping) packets to be forwarded from one client to the other.


How to add a Windows Firewall rule to enable client-to-client communication through OpenVPN

Open PowerShell with Administrator Privileges and type:

New-NetFirewallRule -DisplayName “OpenVPN allow Inbound” -Direction Inbound -Program %ProgramFiles%\OpenVPN\bin\openvpn.exe -RemoteAddress LocalSubnet -Action Allow
New-NetFirewallRule -DisplayName “OpenVPN allow Outbound” -Direction Outbound -Program %ProgramFiles%\OpenVPN\bin\openvpn.exe -RemoteAddress LocalSubnet -Action Allow
Set-NetFirewallProfile Public -DefaultInboundAction Allow -DefaultOutboundAction Allow

from now every connected client should be able to ping you

Optional: To see if it has been added open Windows Defender Firewall: wf.msc.

Related

IPtables Traffic Quota - up and down
Run a script as root from apache
Unable to change the font in bold to yellow font in Less
Discretely restrict users from running certain programs on Windows computers
Recommendations for a POP3 Connector for Exchange 2007 [closed]
How to set the network interface for RDP in Windows Server 2012?
How should I structure my users/groups/permissions for a web server?
Blocking requests from specific IPs using IIS Rewrite module
Diagnose Network Faults
Third-Party Mac Admin Tools [closed]
Find out if the OS is running in a virtual environment
Recovering Accidentally Destroyed LVM2 Information