"Connecting" two instances of OpenVPN on a server

[PingPong]

Hi there,

I‘m new to this forum, but not too new to OpenVPN. At the moment I‘m facing a problem, where I‘d like to ask for some advice. I asked Google before and also was guided to that forum and many other sites too. A lot of solutions were found, but none to my problem, as far as I see.

So here is, what‘s going on.

I have a virtual Debian Stretch with root access, which has a public IP address. It should not matter, so let‘s say it‘s 123.45.67.89.

On there I have to instances of OpenVPN, both using TUN:
(1) 10.11.12.0/24 (tun 0)
(2) 10.20.30.0/24 (tun 1)

What I would like to have is:
(A) Clients in (1) cannot see and reach each other.
(B) Clients in (2) can see and reach each other.
(C) Clients in (1) cannot see and reach clients in (2).
(D) Clients in (2) can see and reach clients in (1).
What I don’t need is some access of the VPN to the public network (internet).

For security reasons ufw is installed (I’m pretty sure, that not everyone here would follow me in that point…).

What I did so far:
- client-to-client is disabled in (1).conf
- client-to-client is enabled in (2).conf
- DEFAULT_FORWARD_POLICY="ACCEPT" is enabled in /etc/default/ufw
- net.ipv4.ip_forward=1 is enabled in /etc/sysctl.conf
- and a lot of other things trying to get this run using rules for ufw, routing and iptables which at the end didn’t lead to more than frustration.

What works now is (B). What doesn’t work is (A), (C) and (D).

Before I tried two ways to solve that:
- Adding some clever rules with iptables. But my rules were not clever enough
- Adding some clever rules to ufw with a kind of transfer network and second IP in the same range for the TUNs. But that also didn’t work out.

So my question to you folks, is there a good shepherd to guide me the right way?

Greetz
Martin

[TinCanTech]

We have this:
https://openvpn.net/index.php/open-sour ... tml#policy

but I suspect that will not be advanced enough for you.

What you are going to need is a high level tutorial for iptables .. we don't have that.

[PingPong]

First: Thanks!

Second: This link looks nice, nearly on the way to a solution to my problem. I think this is a way to follow and test.

Third: I know a bit about iptables, can understand rules when I see them and can set up easy ones and make them working. In a way I was looking for a way to prevent to get to those levels...

[TinCanTech]

Openvpn does have a packet filter .. but that would probably make things even more complicated.

http://backreference.org/2010/06/18/ope ... et-filter/

For me, iptables is the tool of choice ..

Edit: I am not sure if that packet filter plugin still works, if you try it let me know how you get on

[PingPong]

Thanks TinCanTech,

I'm still working on it. The packet filter of OpenVPN is a pretty funny thing. I expected, that there has to be something like that, because OpenVPN needs it for working properly, but I will not follow it. Using it might cause a bunch of problems after some update, because this is some internal function which can be changed anywhen.

On those four points mentioned above I got three working without any additional routing or forwarding outside OpenVPN. Those are: A, B, C.

For that it was initially needed to disable forwarding in /etc/sysctl.conf, which is pretty funny, because enabling it was mentioned in every description I red up to now to get the points A, B and C working.

So "all" I'm looking for at the moment is a routing from (2) to (1) to get (D) working. I guess here iptables is also my tool of choice.

Greetz
Martin

[PingPong]

I got this thing working. So people who are looking for a solution to a similar problem might find this request. For my feeling it's pretty fair to leave a note about the solution here.

At the right moment I found some help. A person very deep into this matter had a look at my setup and a bunch of great ideas where to start solving the problem. That kind of help really kicked me forward!

Please be aware that working with iptables might lock you out of your server. Whatever you do, being able to physically work in front of the server is needed! Whatever you change with iptables will work immediately.

Also check out the names of your network devices, ip addresses, ports, etc. Don't use mine, they likely will not work at your configuration.

Here comes the solution:

1. Use iptables. If you do, do it proper and don't use ufw at the same time. You will not need it.

Code: Select all

$sudo apt purge ufw

2. Don't limit anything at start. That means:
.conf for tun0 => "client-to-client"
.conf for tun1 => "client-to-client"
/etc/sysctl.conf => "net.ipv4.ip_forward=1"

3. Now take 2 or 3 hours to get the basics of iptables. It's not too hard, but needed!
Install "iptables-persistent" and learn how to save the configuration of iptables.

4. Make iptables securing your installation:

Code: Select all

#ip6tables -P INPUT DROP
#ip6tables -P FORWARD DROP
#ip6tables -P OUTPUT DROP
#iptables -P INPUT DROP
#iptables -P FORWARD DROP

Now you locket yourself out

5. Make yourself able to connect to your server via SSH on eth0:

Code: Select all

#iptables -A INPUT -i eth0 -p tcp -m tcp --dport 12345 -j ACCEPT

6. Make your two instances of OpenVPN to let the clients connect via eth0:

Code: Select all

#iptables -A INPUT -i eth0 -p udp -m udp --dport 23456 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -m udp --dport 34567 -j ACCEPT

7. Make yourself able to ping all (server and clients) from your server:

Code: Select all

#iptables -I INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

8. Make all clients able to ping each other:

Code: Select all

#iptables -A INPUT -d 10.11.12.0/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -d 10.20.30.0/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

9. Let the network of those who should see all being able to see the network of those who only should see themselves:

Code: Select all

#iptables -A FORWARD -s 10.20.30.0/24 -o tun0 -j ACCEPT

10. Let the clients who already are connected be able to forward to each other. This leads to the point where those who should not see each other forward to those who should see all:

Code: Select all

#iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

11. Isolate those, who should only see themselves:
.conf for tun0 => ";client-to-client"

If you usually work on Windows feel free to make a reboot. When you saved the rules, this will not change a thing

Done!

[PingPong]

Thanks again TinCanTech,

"iptables" is not the only, but the easiest way to make things working.