use OpenVPN client as router

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Tasslehoff
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 18, 2021 2:04 pm

use OpenVPN client as router

Post by Tasslehoff » Wed Aug 18, 2021 2:11 pm

Hi everyone and thanks in advance for any help.

I'm struggling with an OpenVPN configuration quite unusual for my experience.
Basically it's a vpn between my HQ and a cloud instance, monitoring and backups have to be done on a couple of HQ hosts, one of these is a vpn endpoint.
This is the basic architecture:

Code: Select all

vpn endpoint HQ (OpenVPN client):
etho: 10.62.15.154
tun0: 10.30.41.254

vpn endpoint cloud (OpenVPN server):
eth0: 10.1.0.4
tun0: 10.30.41.1
wan:  52.53.54.55

backup HQ:
eth0: 10.62.15.140
Image

OpenVPN tunnel works, to make the client able to reach the eth0 interface on the cloud instance I added push "route 10.1.0.4 255.255.255.255" to the server.conf on the cloud instance.

My problem is that I can't reach the HQ OpenVPN endpoint eth0 interface and the backup host interface from the cloud instance (OpenVPN server). I tried to add route 10.62.15.154 255.255.255.255 to the server.conf on the instance but this resulted in a record on my cloud instance routing table which is quite strange, because there's no interface with 10.30.41.2 ip address.

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.62.15.154    10.30.41.2      255.255.255.255 UGH   0      0        0 tun0
Do you have any suggestions to solve this problem?

Thanks

server config
port 5755
proto udp
dev tun
askpass /root/.server.pass
dh /etc/openvpn/certs/dh.pem

server 10.30.41.0 255.255.255.0
push "route 10.1.0.4 255.255.255.255"
client-config-dir ccd

cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody

log-append /var/log/openvpn.log
verb 3

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>


client config
client
dev tun
proto udp

remote 52.53.54.55 5755

askpass /root/.client.pass

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3


<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: use OpenVPN client as router

Post by TinCanTech » Thu Aug 19, 2021 2:04 am

This is all in the howto.
Top
300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: use OpenVPN client as router

Post by 300000 » Fri Aug 20, 2021 2:17 pm

You need setting up site to site connection to make it work for you. now from openvpn client it can ping every host but from outside connected to openvpn server cant ping back up host why?

First the openvpn server dont have any info route of back up host so it will not route to it, you can try from windows command line as tracert 10.62.15.140 and route stop at 10.30.41.1 . so you need to add this route to server config

route 10.62.15.0 255.255.255.0

What gateway route add to ? It must be openvpn client ip so it can route to it IP range .You need iroute conmand in CDD folder on openvpn server . The most important thing is name of certificate of client as file name on CDD folder so when openvpn client connect to it know which gateway it add into so the command inside client name as .

iroute 10.62.15.0 255.255.255.0

After that if you tracert again 10.62.15.0 it will stop at openvpn client 10.30.41.254 because at openvpn client you didnot nat and ipforward as server . Just do one thing nat and ipforward as you do the same in server so it will work for you.

so this is all you need to do and it will work for you.open server config add this

route 10.62.15.0 255.255.255.0

Inside openvpn folder create a folder name CCD . inside that folder and create a name as client certificate and open that file add this line.

iroute 10.62.15.0 255.255.255.0


At the client just do NAT and IPforward as you do with openvpn server and it should do for you .
Top
Tasslehoff
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 18, 2021 2:04 pm

Re: use OpenVPN client as router

Post by Tasslehoff » Tue Sep 21, 2021 9:25 am

300000 wrote:
Fri Aug 20, 2021 2:17 pm
 SNIP

so this is all you need to do and it will work for you.open server config add this

route 10.62.15.0 255.255.255.0

Inside openvpn folder create a folder name CCD . inside that folder and create a name as client certificate and open that file add this line.

iroute 10.62.15.0 255.255.255.0


At the client just do NAT and IPforward as you do with openvpn server and it should do for you .
That worked perfectly! Thank you very much! :)
Top
Post Reply

Return to “Server Administration”