How to route OpenVPN client's traffic through another client on the same VPN?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
amkhlv
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 19, 2017 3:58 am

How to route OpenVPN client's traffic through another client on the same VPN?

Post by amkhlv » Tue Dec 19, 2017 4:18 am

Hi !

I have an OpenVPN server with several clients attached to it.
I want one of the clients to serve as a gateway, in the sense that all the traffic from all other clients should be routed through this special client.
I know how to route through the server, by

Code: Select all

redirect-gateway=def1
But I want to push through one of the clients.
Is it possible to do automatically? Actually, I tried to do it manually, but did not succeed.
I also tried setting

Code: Select all

route-gateway
to the client's address on VPN. Still all goes through the server...
What is the right way?

amkhlv
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 19, 2017 3:58 am

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Post by amkhlv » Tue Dec 19, 2017 9:36 pm

This can be achieved with layer-2 VPN, i.e. using TAP (and not TUN), and configuring routing on the regular client machine as follows:

Code: Select all

ip route add XXX.YYY.ZZZ.WWW via 192.168.1.10 dev eth0

ip route add default via 10.8.0.5 dev tap0

ip route del default via 192.168.1.10
where XXX.YYY.ZZZ.WWW is the address of the VPN server, 192.168.1.10 is the address of the client machine, and 10.8.0.5 the address of the "gateway" client. AFAIK, this has to be done manually, I could not find any automatic push directive like redirect-gateway.

As usual, one should, on the gateway client machine: (1) enable the ip forwarding in /etc/sysctl.conf and (2) add the usual netfilter rules:

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -i tap0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

satyapasupuleti
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 04, 2018 10:23 am

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Post by satyapasupuleti » Thu Jul 05, 2018 6:59 am

Hi,
Thanks for sharing knowledge, i need same kind of setup. Why it won't work in tun mode....Please help me.

alex.tls
OpenVpn Newbie
Posts: 14
Joined: Fri Nov 12, 2021 11:05 am

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Post by alex.tls » Wed Nov 24, 2021 2:18 pm

why tun type won't work ?

mk3pq28
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 13, 2020 3:08 pm

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Post by mk3pq28 » Thu Feb 16, 2023 9:09 pm

I had same requirement and solved that with l3 tun type. The idea was quiet simple: use ccd and put iroute 0.0.0.0 0.0.0.0 for the client I want to use as a gateway. I'm on OpenVPN 2.6_rc1. So, we should have at least 3 nodes in the network:
  • server - endpoint with a public IP (vps on debian in my case)
  • client-gateway - a computer behind any firewalls / nat-s with internet access (I use raspberrypi at home, it's behind the provider's nat and my home router). This computer will be used as an exit node for all clients of the vpn.
  • client device - any client to be routed via client-gateway. I have linux and android only, but suggest this will work for windows clients too.
Important options for server are:

Code: Select all

dev tun1
client-to-client
topology subnet

# We'll use this for our client-gateway special config
client-config-dir /etc/openvpn/ccd

# Or use this option manually for all clients except client-gateway
push "redirect-gateway autolocal"
Also dhcp and authentication must be configured. There is no specials here, just another network.
The most important part - client-specific configuration for client-gateway node. It contains 2 options only:

Code: Select all

# I bielive this one is optional, but haven't tested that
ifconfig-push 10.5.5.2 255.255.255.0

# This will route all the traffic onto our client-gateway node
iroute 0.0.0.0 0.0.0.0
I have net.ipv4.conf.tun1.forwarding=0 on server, because all packets are routed internally by openvpn, I guess. They're probably not even passed to the kernel, so if u run tcpdump -i tun1 on server - it will be silent, and it's ok.

For the client-gateway the only important option is route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway, net.ipv4.conf.tun1.forwarding must be enabled here.

All other clients have no special options.

I'm not very experienced in networking, but i've done a few tests with ip-checks and tcpdump. And it seems the traffic is routed correctly: client -> server -> client-gateway -> internet.

Post Reply