establish connection between OpenVPN subnets

[vobiy86175]

Hello,

In my free time I'm maintaining the server/network for a small nonprofit organization and by no means am professional in networking and system administration,

Currently my goal is to separate users on different OpenVpn subnets and then use firewall to grant/deny permissions to specific ports on the same server OpenVpn is running on

I have a feeling that I'm missing some obvious knowledge about OpenVpn/Networking to get this up and running, but have trouble putting my finger on it

This is what I intend to achieve:
10.8.0.0/24 default subnet, not touching this
10.8.1.0/24 administrator subnet, if the connection is initiated from this subnet connection is allowed to any port
10.8.2.0/24 user subnet, if the connection is initiated from this subnet only allow connections to port 80

I have managed to give specific users static IPs using this command

Code: Select all

echo "ifconfig-push 10.8.1.1 255.255.255.0" > /etc/openvpn/ccd/admin

The Problem
OpenVpn Connect client correctly gets IP from 10.8.1.0/24 subnet, however, I'm unable to ping 10.8.0.0/24 subnet from 10.8.1.0/24

I have tried numerous different setups during the last 3 days, here are the few examples:
https://openvpn.net/community-resources/how-to/
https://openvpn.net/community-resources ... -policies/
https://openvpn.net/community-resources/how-to/#scope
but as mentioned above I have a feeling that's I'm missing some basic networking knowledge and am unable to glean necessary insight from the said documentation

to reproduce my exact testing setup:

Code: Select all

# start ubuntu 18.04 image from digitalocean
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
# accept all default parameters

server.conf This is default server.conf after openvpn-install.sh script installs OpenVPN

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_jJMvzniBnzqhaoFW.crt
key server_jJMvzniBnzqhaoFW.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

iptables -S

Code: Select all

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT

I am looking for the simplest example of achieving this on which I can build upon.
if 10.8.1.0/24 pings 10.8.0.1 I'll be golden

[TinCanTech]

For a start, you missed a step: https://openvpn.net/community-resources ... -policies/

[vobiy86175]

which one ?
if you mean this "ifconfig-push 10.8.1.1 10.8.1.2" it gives a malformed netmask error and as I have windows clients I have to use "topology subnet"
and if you mean this "route 10.8.1.0 255.255.255.0" I have tried it like this and it didn't help

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
route 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_jJMvzniBnzqhaoFW.crt
key server_jJMvzniBnzqhaoFW.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

[TinCanTech]

if you mean this "route 10.8.1.0 255.255.255.0" I have tried it like this and it didn't help

By the same flawed logic, if you can't get openvpn to work then don't use it...

[vobiy86175]

Sir, I understand that it may be tedious to explain the basics over and over again to new people, however, so far you have only provided me with vague descriptions of what is incorrect and does not work, of which I'm already painfully aware.

I only ask to nudge me in the right direction and if I failed to elaborate on something please ask me and I will do so

If you think that I came here hoping that someone would do the work instead of me you are gravely mistaken, be assured that I have already put the requisite effort into this and will continue to do so until the goal is achieved

[TinCanTech]

I only ask to nudge me in the right direction

I did .. but you chose to ignore me.. And the official online how-to.

[vobiy86175]

Good news! I figured it out

The problem was in this script:

instead of this

Code: Select all

echo "ifconfig-push 10.8.1.1 255.255.255.0" > /etc/openvpn/ccd/admin

it should have been this

Code: Select all

echo "ifconfig-push 10.8.1.1 255.255.0.0" > /etc/openvpn/ccd/admin

after which adding this in server.conf did actually work

Code: Select all

route 10.8.1.0 255.255.255.0

Very trivial after all, however, I had to consume mountain of useful information before I found it, so can't really complain

[jamesnb]

Hi vobiy86175,
I, too, plan to restrict the access to some users. Basically, we have our internal staff and the outside contractors.
I want to restrict the access for outside contractors to only 2 IP address 192.168.1.110 and 192.168.1.111
Our internal subnet is 192.168.1.0/24
Those code that you mentioned above, where should i put it? Is it in the "server.conf" file? In my case, I install the OpenVPN-AS on our in-house Ubuntu Server by using the official automate scripts https://openvpn.net/vpn-software-packages/ so I could not find the server.conf in anywhere...
So far, we mostly use the web interface to manage the Openvpn-As
Any helps are appreciated

[vobiy86175]

Hello, jamesnb,

per my knowledge, OpenVPN Access Server is a completely different implementation of OpenVPN and is aimed at corporate, licensed use.

It comes with a web interface and other creature comforts suited for big organizations.

In my search for the answer to my question I even tried to spin up Access Server configure it and then check out the server.conf file it generated, but as mentioned above I discovered that Access Server is a completely different software implementation and does not use a server.conf file.

if you don't have any special requirements which only Access Server can satisfy I advise you to try the OpenVPN community edition, install script for which you can find in my first post

note about install script: it's an open-source script from Github which makes getting up and running with OpenVPN and creating users a breeze, however after that you will need to acquaint yourself with server.conf and other related files as that's where automation ends

oh and the command you asked about, you would just run that as root on the server on which OpenVPN instance is hosted on, it creates new file /etc/openvpn/ccd/admin with the content of ifconfig-push 10.8.1.1 255.255.0.0 which is what's needed to assign the user a static ip

also, check this out to find differences between community and Access Server versions
https://openvpn.net/open-source-vs-open ... ss-server/