Hi,
I have a Windows VPS (Server 2016) that only has a public IP-address.
Now I have installed OpenVPN on it as server.
The OpenVPN-ip is 10.8.0.1/24.
I have a Debian 9 machine that is running inside a network as VPN-client.
The Debian 9 is running behind an older Netgear firewall. The firewall has a static route (10.8.0.0/24 - 192.168.16.31)
Netgear firewall IP is 192.168.16.1/24
LAN address is 192.168.16.31/24
LAN subnet is 192.168.16.0/24
The OpenVPN-ip of the debian 9 is 10.8.0.2/24.
In the server-config I have:
route 192.168.16.0 255.255.255.0 10.8.0.1
client-config-dir ccd
In the ccd/gbg-61 I have:
iroute 192.168.16.0 255.255.255.0
ifconfig-push 10.8.0.2 255.255.255.0
I know that the ccd config is loaded to the client because I did a test with:
ifconfig-push 10.8.0.77 255.255.255.0
and it worked. But like I said, now the client is running on 10.8.0.2.
From the server (10.8.0.1) I can ping 10.8.0.2 and 192.168.16.31 but I can't ping eg. 192.168.16.1 or any other computer behind the debian 9 client.
From any client I can ping 10.8.0.2 but I can't ping 10.8.0.1 from any client.
What did I miss?
I paste the config file from server, client and ccd below:
Server config!
###########################
port 1194
proto udp
# Tested with dev tun too but that didn't help.
dev tap
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
# According to ip route show, this i redundant, am I right about that? Tested with and without it.
push "route 10.8.0.0 255.255.255.0"
client-config-dir ccd
route 192.168.16.0 255.255.255.0 10.8.0.1
# I shouldn't be needing this but I put it in anyway for testing.
client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
###############################
Client config!
##############################
client
dev tap
proto udp
remote <public ip removed> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/gbg-61.crt
key /etc/openvpn/client/gbg-61.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
;mute 20
###########################
ccd/gbg-61
###########################
iroute 192.168.16.0 255.255.255.0
ifconfig-push 10.8.0.2 255.255.255.0
Expanding VPN - site-to-site
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Dec 10, 2018 12:53 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Expanding VPN - site-to-site
Try:johan.skott wrote: ↑Mon Dec 10, 2018 1:32 pmIn the server-config I have:
route 192.168.16.0 255.255.255.0 10.8.0.1
Code: Select all
route 192.168.16.0 255.255.255.0
-
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Dec 10, 2018 12:53 pm
Re: Expanding VPN - site-to-site
I needed to set ip_forward = 1 on the Debian machine.
ip_forward is not a OpenVPN setting, you need to set it in the Linux OS.
And use dev tun, not dev tap.
Best regards
Johan
ip_forward is not a OpenVPN setting, you need to set it in the Linux OS.
And use dev tun, not dev tap.
Best regards
Johan