establish connection between OpenVPN subnets
Posted: Sun Mar 28, 2021 4:16 pm
Hello,
In my free time I'm maintaining the server/network for a small nonprofit organization and by no means am professional in networking and system administration,
Currently my goal is to separate users on different OpenVpn subnets and then use firewall to grant/deny permissions to specific ports on the same server OpenVpn is running on
I have a feeling that I'm missing some obvious knowledge about OpenVpn/Networking to get this up and running, but have trouble putting my finger on it
This is what I intend to achieve:
10.8.0.0/24 default subnet, not touching this
10.8.1.0/24 administrator subnet, if the connection is initiated from this subnet connection is allowed to any port
10.8.2.0/24 user subnet, if the connection is initiated from this subnet only allow connections to port 80
I have managed to give specific users static IPs using this command
The Problem
OpenVpn Connect client correctly gets IP from 10.8.1.0/24 subnet, however, I'm unable to ping 10.8.0.0/24 subnet from 10.8.1.0/24
I have tried numerous different setups during the last 3 days, here are the few examples:
https://openvpn.net/community-resources/how-to/
https://openvpn.net/community-resources ... -policies/
https://openvpn.net/community-resources/how-to/#scope
but as mentioned above I have a feeling that's I'm missing some basic networking knowledge and am unable to glean necessary insight from the said documentation
to reproduce my exact testing setup:
server.conf This is default server.conf after openvpn-install.sh script installs OpenVPN
iptables -S
I am looking for the simplest example of achieving this on which I can build upon.
if 10.8.1.0/24 pings 10.8.0.1 I'll be golden
In my free time I'm maintaining the server/network for a small nonprofit organization and by no means am professional in networking and system administration,
Currently my goal is to separate users on different OpenVpn subnets and then use firewall to grant/deny permissions to specific ports on the same server OpenVpn is running on
I have a feeling that I'm missing some obvious knowledge about OpenVpn/Networking to get this up and running, but have trouble putting my finger on it
This is what I intend to achieve:
10.8.0.0/24 default subnet, not touching this
10.8.1.0/24 administrator subnet, if the connection is initiated from this subnet connection is allowed to any port
10.8.2.0/24 user subnet, if the connection is initiated from this subnet only allow connections to port 80
I have managed to give specific users static IPs using this command
Code: Select all
echo "ifconfig-push 10.8.1.1 255.255.255.0" > /etc/openvpn/ccd/admin
The Problem
OpenVpn Connect client correctly gets IP from 10.8.1.0/24 subnet, however, I'm unable to ping 10.8.0.0/24 subnet from 10.8.1.0/24
I have tried numerous different setups during the last 3 days, here are the few examples:
https://openvpn.net/community-resources/how-to/
https://openvpn.net/community-resources ... -policies/
https://openvpn.net/community-resources/how-to/#scope
but as mentioned above I have a feeling that's I'm missing some basic networking knowledge and am unable to glean necessary insight from the said documentation
to reproduce my exact testing setup:
Code: Select all
# start ubuntu 18.04 image from digitalocean
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
# accept all default parameters
Code: Select all
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_jJMvzniBnzqhaoFW.crt
key server_jJMvzniBnzqhaoFW.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
Code: Select all
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
if 10.8.1.0/24 pings 10.8.0.1 I'll be golden