Basically I'm connecting two LANs thru OpenVPN, while the VPN-tunnels succesfully exist, however I have some kind of routing-issue.
For Better understanding, here is a scheme of the topology:
Current State:
Network A is using a Fritzbox 7412 router with (dynamic) public IP-address which is available thru a DynDNS-name (mydomain.de in my sample confs. Local network is 192.168.3.0.
In Network A is a Ubuntu-Server which servers (besides others) as the OpenVPN-Server. Therefore the UDP-Ports 1194 & 1195 are forwarded in the router to this Server-PC (192.168.3.130). I have two OpenVPN-Server's running: server1 is for connecting my other network B, server2 is for accessing my both networks from an iPhone.
Network B is using a Fritzbox 7390 which is behind a 4G router and due to the NAT of the 4G provider it has no public IP-address. Local network is 192.168.20.0.
In Network B is a Raspberry Pi (running Ubuntu MATE, local address 192.168.20.24) which serves as the OpenVPN-Client.
What I want: All Clients from both networks and the iPhone should be able to communicate thru my VPN-structure. To get that done I have push-routes set for the Client's network and on both routers of the LAN's I configured static IP-routes directing the opposite network to the OpenVPN-Client/Server as gateway.
Now this already works:
- Both tunnels get established
Ping, including:
from Ubuntu-Server to 10.8.0.10 and 192.168.20.24
from Client-PC in Network A to 10.8.0.10 and 192.168.20.24 and to the remote-Router 192.168.20.1
from Raspberry Pi in Network B to 10.8.0.1 and 192.168.3.130, the remote-Router 192.168.3.1 and to another Client in Network A (192.168.3.154)
from Client-PC in Network B to 192.168.3.130 and the remote-Router 192.168.3.1 and the other Client in Network A (192.168.3.154)
Reaching Webservers thru Browser from the iPhone inside Network A (I can open pages on 192.168.3.130 and 192.168.3.154)
Reaching Webservers thru Browser from Raspberry Pi in Network B on all devices in Network A (192.168.3.130, 192.168.3.1, 192.168.3.154)
SSH from Ubuntu-Server thru the tunnel to Raspberry using 10.8.0.10 and 192.168.20.24
SSH from client-PC in Network A thru the tunnel to Raspberry using 10.8.0.10 and 192.168.20.24
SSH from Raspberry in Network B thru the tunnel to Ubuntu-Server using 10.8.0.1 and 192.168.3.130
- SSH from Client-PC in Network B thru the tunnel to the Ubuntu-Server using 192.168.3.130
Webpages (http) and file sharing (smb) thru the tunnels including:
from Client-PC in Network B to 192.168.3.130, 192.168.3.1,192.168.3.154 >> timeout
from Client-PC in Network A to 10.8.0.10, 192.168.20.24, 192.168.20.1 >> timeout
from the iPhone using both tunnels to 10.8.0.10, 192.168.20.24, 192.168.20.1 >> timeout
Ping from Network A (regardless on which machine) to a device in Network B which does not have a DHCP-IP-address but a fixed one.
- tried option „tun-mtu“, „fragment“ and „mssfix“ > no change on problems
disabled firewalls on both, the Ubuntu-Server and the Raspberry Pi
@Ubuntu-Server in Network A, server1.conf
Code: Select all
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key # This file should be kept secret
dh ./easy-rsa2/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp_hhsl.txt
push "route 192.168.3.0 255.255.255.0"
push "route 10.8.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.20.0 255.255.255.0
client-to-client
keepalive 10 120
tls-auth ./easy-rsa2/keys/ta.key 0
cipher AES-256-CBC # AES
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status_hhsl.log
verb 3
tun-mtu 1200
fragment 1200
mssfix 1200
Code: Select all
iroute 192.168.20.0 255.255.255.0
Code: Select all
port 1195
proto udp
dev tun1
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key
dh ./easy-rsa2/keys/dh2048.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp_vic.txt
push "route 192.168.3.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
tls-auth ./easy-rsa2/keys/ta.key 0
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status_vic.log
verb 3
@Raspberry Pi in Network B, client.conf
Code: Select all
client
dev tun
proto udp
remote mydomain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert hhsl.crt
key hhsl.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
tun-mtu 1200
fragment 1200
mssfix 1200
Code: Select all
client
dev tun1
proto udp
remote kunterbuntcloud.de 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vic.crt
key vic.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
Static routes in Router of Network B: