I push a few routes trough the VPN. When connected, the clients indeed try to go via the VPN server, however, this keeps timing out. I've read the HOWTO and have all the required settings. A summary:
VPN Server:
Code: Select all
mode server
client-config-dir /etc/openvpn/bastion/client-configs
ca /etc/openvpn/bastion/keys/ca.crt
cert /etc/openvpn/bastion/keys/issued/server.crt
key /etc/openvpn/bastion/keys/private/server.key
dh /etc/openvpn/bastion/keys/dh.pem
crl-verify /etc/openvpn/bastion/crl.pem
proto udp
port 1194
comp-lzo
group nobody
user nobody
log-append /var/log/openvpn/bastion.log
status /var/log/openvpn/bastion-status.log
dev tun0
local 172.31.9.225
server 10.9.0.0 255.255.255.0
push "route 172.31.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 10.20.0.0 255.255.0.0"
push "route 10.30.0.0 255.255.0.0"
push "route 10.40.0.0 255.255.0.0"
push "dhcp-option DNS 172.31.0.2"
push "dhcp-option DOMAIN aws.m4e"
push "dhcp-option DOMAIN mind4energy.eu"
topology net30
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
management 172.31.9.225 7505
# Additional custom options
Code: Select all
cat /proc/sys/net/ipv4/ip_forward
1
Code: Select all
client
dev tun
proto udp
remote 23.45.123.43 1194
comp-lzo
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
mute-replay-warnings
ns-cert-type server
verb 3
mute 20
# Additional custom options
ca keys/user/ca.crt
cert keys/user/user.crt
key keys/user/user.key
Code: Select all
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* Allow incoming VPN connection */
2 ACCEPT all -- anywhere anywhere /* Accept packets from VPN tunnel adaptor */
3 ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER-USER all -- anywhere anywhere
2 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
4 DOCKER all -- anywhere anywhere
5 ACCEPT all -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- ip-10-9-0-0.eu-west-1.compute.internal/24 anywhere /* Allow VPN forwarding */
8 ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain DOCKER (1 references)
num target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere