Openvpn: Subnets for different groups - Destination host unreachable

iptables openvpn

I managed to get this working by making the server /16 instead of /24 and setting client-to-client to false, since the traffic will be forwarded before it reaches the IP layer of the OpenVPN Server, iptables won't be able to limit the traffic(see this post)

server.conf

...
server 10.9.0.0 255.255.0.0 # Subnet mask /16 instead of /24
;route 10.9.1.0 255.255.255.0 # These were not needed when the subnet mask is /16
;route 10.9.2.0 255.255.255.0 # These were not needed when the subnet mask is /16
;client-to-client
...

For a client config in the ccd directory we also need to update the subnet mask. From 255.255.255.0 to 255.255.0.0

ifconfig-push 10.9.2.2 255.255.0.0

Now you only need to add the appropriate iptable rules. Depending on your setup these might need more configuration. I follwed this example to get started since I'm also quiet new to iptables. Below are some examples which might be useful.

# Make sure established packets are allowed
iptables -A FORWARD -i tun0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from one subnet to the other
iptables -A FORWARD -i tun0 -s 10.9.0.0/24 -d 10.9.2.0/24 -j ACCEPT
# Drop all traffic
iptables -A FORWARD -i tun0 -s 10.8.0.0/16 -d 10.8.0.0/16 -j DROP

Related

Trouble Configuring Subdomain on Digital Ocean
nsjail process does not have network access
domain CNAME to subdomain [duplicate]
Issue with LSI SAS2116 - no drives being detected on Fedora 32 kernel 5.8.*
Are dot matrix printers still used anywhere?
nfs server on linux with windows 10 client [closed]
Reliable transfer protocol designed for a known static bottleneck size and high packet loss?
Why .ssh directory permission need to be 700 for passwordless ssh
Logstash output-http plugin error 500 when trying to send to slack webhook
Why can't I access my FTP server with Windows Explorer?
Linux SSSD with two AD Domains
Remove 1 Disk From 4 Disk RAID 5 Array