OpenVPN Support Forum

Posted: **Tue Dec 19, 2017 4:18 am**

Hi !

I have an OpenVPN server with several clients attached to it.
I want one of the clients to serve as a gateway, in the sense that all the traffic from all other clients should be routed through this special client.
I know how to route through the server, by

Code: Select all

redirect-gateway=def1

But I want to push through one of the clients.
Is it possible to do automatically? Actually, I tried to do it manually, but did not succeed.
I also tried setting

Code: Select all

route-gateway

to the client's address on VPN. Still all goes through the server...
What is the right way?

Posted: **Tue Dec 19, 2017 9:36 pm**

This can be achieved with layer-2 VPN, i.e. using TAP (and not TUN), and configuring routing on the regular client machine as follows:

Code: Select all

ip route add XXX.YYY.ZZZ.WWW via 192.168.1.10 dev eth0

ip route add default via 10.8.0.5 dev tap0

ip route del default via 192.168.1.10

where XXX.YYY.ZZZ.WWW is the address of the VPN server, 192.168.1.10 is the address of the client machine, and 10.8.0.5 the address of the "gateway" client. AFAIK, this has to be done manually, I could not find any automatic push directive like redirect-gateway.

As usual, one should, on the gateway client machine: (1) enable the ip forwarding in /etc/sysctl.conf and (2) add the usual netfilter rules:

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -i tap0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Posted: **Thu Jul 05, 2018 6:59 am**

Hi,
Thanks for sharing knowledge, i need same kind of setup. Why it won't work in tun mode....Please help me.

Posted: **Wed Nov 24, 2021 2:18 pm**

why tun type won't work ?

Posted: **Thu Feb 16, 2023 9:09 pm**

I had same requirement and solved that with l3 tun type. The idea was quiet simple: use ccd and put iroute 0.0.0.0 0.0.0.0 for the client I want to use as a gateway. I'm on OpenVPN 2.6_rc1. So, we should have at least 3 nodes in the network:

server - endpoint with a public IP (vps on debian in my case)
client-gateway - a computer behind any firewalls / nat-s with internet access (I use raspberrypi at home, it's behind the provider's nat and my home router). This computer will be used as an exit node for all clients of the vpn.
client device - any client to be routed via client-gateway. I have linux and android only, but suggest this will work for windows clients too.

Important options for server are:

Code: Select all

dev tun1
client-to-client
topology subnet

# We'll use this for our client-gateway special config
client-config-dir /etc/openvpn/ccd

# Or use this option manually for all clients except client-gateway
push "redirect-gateway autolocal"

Also dhcp and authentication must be configured. There is no specials here, just another network.
The most important part - client-specific configuration for client-gateway node. It contains 2 options only:

Code: Select all

# I bielive this one is optional, but haven't tested that
ifconfig-push 10.5.5.2 255.255.255.0

# This will route all the traffic onto our client-gateway node
iroute 0.0.0.0 0.0.0.0

I have net.ipv4.conf.tun1.forwarding=0 on server, because all packets are routed internally by openvpn, I guess. They're probably not even passed to the kernel, so if u run tcpdump -i tun1 on server - it will be silent, and it's ok.

For the client-gateway the only important option is route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway, net.ipv4.conf.tun1.forwarding must be enabled here.

All other clients have no special options.

I'm not very experienced in networking, but i've done a few tests with ip-checks and tcpdump. And it seems the traffic is routed correctly: client -> server -> client-gateway -> internet.

Posted: **Sat Aug 31, 2024 5:49 pm**

mk3pq28 wrote: ↑
Thu Feb 16, 2023 9:09 pm
I had same requirement and solved that with l3 tun type. The idea was quiet simple: use ccd and put iroute 0.0.0.0 0.0.0.0 for the client I want to use as a gateway. I'm on OpenVPN 2.6_rc1. So, we should have at least 3 nodes in the network:

server - endpoint with a public IP (vps on debian in my case)

client-gateway - a computer behind any firewalls / nat-s with internet access (I use raspberrypi at home, it's behind the provider's nat and my home router). This computer will be used as an exit node for all clients of the vpn.

client device - any client to be routed via client-gateway. I have linux and android only, but suggest this will work for windows clients too.

Important options for server are:
Code: Select all
dev tun1
client-to-client
topology subnet

# We'll use this for our client-gateway special config
client-config-dir /etc/openvpn/ccd

# Or use this option manually for all clients except client-gateway
push "redirect-gateway autolocal"
Also dhcp and authentication must be configured. There is no specials here, just another network.
The most important part - client-specific configuration for client-gateway node. It contains 2 options only:
Code: Select all
# I bielive this one is optional, but haven't tested that
ifconfig-push 10.5.5.2 255.255.255.0

# This will route all the traffic onto our client-gateway node
iroute 0.0.0.0 0.0.0.0
I have net.ipv4.conf.tun1.forwarding=0 on server, because all packets are routed internally by openvpn, I guess. They're probably not even passed to the kernel, so if u run tcpdump -i tun1 on server - it will be silent, and it's ok.

For the client-gateway the only important option is route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway, net.ipv4.conf.tun1.forwarding must be enabled here.

All other clients have no special options.

I'm not very experienced in networking, but i've done a few tests with ip-checks and tcpdump. And it seems the traffic is routed correctly: client -> server -> client-gateway -> internet.

Hey I'm trying to set up the same thing but using your instructions did not help. can you post the full config? Would be awesome! Currently, clients either don't route throug the vpn at all or can't connect to the outside internet at all. They can connect to the gateway-client though. So yeah if you could post the server and client configs, I'd really appreciate it!

Posted: **Sat Aug 31, 2024 6:00 pm**

mk3pq28 wrote: ↑
Thu Feb 16, 2023 9:09 pm

For the client-gateway the only important option is route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway, net.ipv4.conf.tun1.forwarding must be enabled here.

also what did you mean exactly by this?
which network and subnet mask did you specify for this?

OpenVPN Support Forum

How to route OpenVPN client's traffic through another client on the same VPN?

How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?

Re: How to route OpenVPN client's traffic through another client on the same VPN?