How to route from the server using a vpn client as a gateway

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
archimede.pitagorico
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 13, 2017 2:08 am

How to route from the server using a vpn client as a gateway

Post by archimede.pitagorico » Fri Feb 16, 2018 11:18 pm

I have 2 Linux machines A and B.

There is an openvpn tun server with net30 topology running on A.

There is an openvpn client running on B, and receiving a fixed IP address from A.

Both A and B have also other interfaces, in addition to the openvpn ones.

Summarizing, I have the following interfaces:
Machine A
inet 192.168.68.1 peer 192.168.68.2/32 scope global myvpn
Machine B
inet 192.168.68.18 peer 192.168.68.17/32 scope global myvpn

From A I can ping B and viceversa.

On machine A (the server), I add the following route, so that a particular address (for example, 80.72.160.111) is routed via the vpn tunnel, from the server to the client, and then forwarded by the client on some other interface. I.e. I want the client to act as a gateway for this particular address.
80.72.160.111 via 192.168.68.18 dev myvpn

If on machine A I ping 80.72.160.111, I can see the icmp packet going through the firewall and exiting the network stack on the myvpn interface. But the packet never reaches machine B.

On machine A, tracking packets on iptables, I see:
Feb 17 16:26:54 archimede kernel: MANGLE-OUTPUT:IN= OUT=myvpn SRC=192.168.68.1 DST=80.72.160.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4469 DF PROTO=ICMP TYPE=8 CODE=0 ID=25044 SEQ=210
Feb 17 16:26:54 archimede kernel: FILTER-OUTPUT:IN= OUT=myvpn SRC=192.168.68.1 DST=80.72.160.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4469 DF PROTO=ICMP TYPE=8 CODE=0 ID=25044 SEQ=210
Feb 17 16:26:54 archimede kernel: MANGLE-POSTROUTING:IN= OUT=myvpn SRC=192.168.68.1 DST=80.72.160.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4469 DF PROTO=ICMP TYPE=8 CODE=0 ID=25044 SEQ=210
Feb 17 16:26:55 archimede kernel: RAW-OUTPUT:IN= OUT=myvpn SRC=192.168.68.1 DST=80.72.160.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=4530 DF PROTO=ICMP TYPE=8 CODE=0 ID=25044 SEQ=211

With tcpdump on machine A I see:
16:32:43.647630 IP (tos 0x0, ttl 64, id 6830, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.68.1 > 80.72.160.111: ICMP echo request, id 25204, seq 208, length 64

The packet is routed via the correct interface, but that interface has no default end point (it can have multiple clients) and I do not see any reference to the specific client IP address that I want to use as gateway: 192.168.68.18.

Anybody knows what is going on? Is it not possible to use a VPN client as a gateway? Do I need to create an ipip tunnel on top of openvpn?

yt2wyb
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 07, 2018 3:40 am

Re: How to route from the server using a vpn client as a gateway

Post by yt2wyb » Sun Mar 25, 2018 4:20 pm

Any updates so far?

Post Reply