I am attempting to create a bi-directional tunnel for connectivity between home and office.
I have two Pi 2 devices configured with Raspbian and I have the server at the office and the client at home.
Office Subnet: 192.168.5.0
Home Subnet: 192.168.1.0
My primary goals are
*Be able to reach the cctv running on the office pi from home
*Be able to reach my NAS from the office which is on the home subnet. (192.168.1.15) This will be hosting windows shares if that matters.
Thus far I have only been able to reach other office systems while connected on the client machine.
For example I can get to the office gateway router web interface which is 192.168.5.1 on the client system when connected from the home network. (192.168.1.0). However, I am unable to use the home pi as a gateway to reach the office subnet. For instance from another computer on the home network I cannot get to the office gateway router web gui. (192.168.5.1)
Connections from the office to home network has yet to work.
Here is my Server config:
Code: Select all
local 192.168.5.12
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool-persist ipp.txt
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.5.0 255.255.255.0"
# Set primary domain name server address to the SOHO Router
push "dhcp-option DNS 192.168.5.1"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
#duplicate cn must be commented out when opening bi directional comms
#duplicate-cn
keepalive 10 120
client-config-dir ccd
route 192.168.1.0 255.255.255.0
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
Code: Select all
client
dev tun
proto udp
remote <mydynamicdnsaddress> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
#KEYS
ca cert
key
tls-auth
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default FIOS_Quantum_Ga 0.0.0.0 UG 0 0 0 eth0
default FIOS_Quantum_Ga 0.0.0.0 UG 202 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.5.0 * 255.255.255.0 U 0 0 0 eth0
192.168.5.0 * 255.255.255.0 U 202 0 0 eth0
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
pool-71-245-125 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 202 0 0 eth0
192.168.5.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
I have added a static route on the home gateway router to point traffic destined to the 192.168.5.0 network to 192.168.1.12 (The OpenVPN client at home)
IP forwarding is enabled on both devices.
Additional information:
I can ping from the server pi (192.168.5.12) to the home pi (192.168.1.12) with success. Seems like the client (home) side pi is either not allowing this traffic through or the traffic doesn't know how to get back?
My background is in IT Security.(firewalls/ips/SIEM/vulns/etc) Networking has never been my forte.
Any help is much appreciated,
-Wooley
Remember the --iroute statement in the client-config-file