description
The home network is connected with cable provider with 192.168.50.1 as default gateway. (The netmask is 255.255.254.0, as there was 192.168.51.* subnet one day.)
- 192.168.50.1 - cable modem (with forwarded some ports to QNAP)
- 192.168.50.2 - QNAP (eth0)
- 192.168.50.3..253 - clients from home network
- 192.168.50.254 - tomato DHCP for home network (with dnsmasq)
- 192.168.49.2 - Lukowa (enp1s6)
- 192.168.49.3..254 - clients from work network
problem
From the QNAP network I can ping/connect 192.168.48.6, but I can't connect 192.168.49.2 (the following logs shows in OpenVPN telnet Management console with verb 7). At the same time I can ping whole 192.168.50.* network from the Lukowa, but I can ping only 192.168.48.6 from other work-client (eg. 192.168.49.3). I'd love to achieve the option to contact everything from everywhere

Code: Select all
>LOG:1610931770,D,MULTI: REAP range 80 -> 96
>LOG:1610931770,D,GET INST BY VIRT: 192.168.49.6 [failed]
>LOG:1610931771,D,MULTI: REAP range 96 -> 112
>LOG:1610931771,D,GET INST BY VIRT: 192.168.49.6 [failed]
configuration
So, let's start from the server (QNAP). Ifconfig, route, iptables, etc
Code: Select all
[admin@QNAP ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:9B:CF:94:86
inet addr:192.168.50.2 Bcast:192.168.51.255 Mask:255.255.254.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15738291 errors:0 dropped:0 overruns:0 frame:0
TX packets:12846453 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:466495933 (444.8 MiB) TX bytes:2567913412 (2.3 GiB)
Interrupt:11
eth1 Link encap:Ethernet HWaddr 00:08:9B:CF:94:87
UP BROADCAST NOTRAILERS MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:15
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4890740 errors:0 dropped:0 overruns:0 frame:0
TX packets:4890740 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:821737225 (783.6 MiB) TX bytes:821737225 (783.6 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.48.1 P-t-P:192.168.48.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:8377 errors:0 dropped:0 overruns:0 frame:0
TX packets:6807 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7323778 (6.9 MiB) TX bytes:410482 (400.8 KiB)
[admin@QNAP ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
192.168.48.0 192.168.48.2 255.255.255.0 UG 0 0 0 tun0
192.168.48.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.49.0 192.168.48.2 255.255.255.0 UG 0 0 0 tun0
192.168.50.0 * 255.255.254.0 U 0 0 0 eth0
[admin@QNAP ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[admin@QNAP ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[admin@QNAP ~]# cat /proc/sys/net/ipv4/ip_forward
1
[admin@QNAP ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[admin@QNAP ~]# cat /etc/openvpn/ccd/lukowaVPN
iroute 192.168.49.0 255.255.255.0
dev tun
keepalive 10 60
reneg-sec 0
persist-key
persist-tun
duplicate-cn
script-security 3
management localhost 7505
#username-as-common-name
#client-cert-not-required
verify-client-cert none
auth-user-pass-verify /usr/sbin/vpn_check_account via-env
ca /etc/openvpn/keys/ca.crt
dh /etc/openvpn/keys/dh1024.pem
key /etc/openvpn/keys/qnap.key
cert /etc/openvpn/keys/qnap.crt
client-connect /etc/openvpn/connect.sh
client-disconnect /etc/openvpn/disconnect.sh
status /var/log/openvpn-status.log
writepid /var/run/openvpn.server.pid
port secretportnumber
proto udp
max-clients 50
server 192.168.48.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
client-config-dir ccd
client-to-client
route 192.168.49.0 255.255.255.0
push "route 192.168.49.0 255.255.255.0"
push "route 192.168.50.0 255.255.255.0"
comp-lzo
cipher AES-128-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
In addition the 192.168.50.254 DHCP server adds two static routes through 192.168.50.2 (which - I repeat - is NOT the default gateway). Dnsmasq works here with added:
Code: Select all
dhcp-option=option:classless-static-route,192.168.48.0/24,192.168.50.2, 192.168.49.0/24,192.168.50.2
And there comes the Lukowa VPN client configuration:
Code: Select all
root@lukowa:~# ifconfig
enp1s6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.49.2 netmask 255.255.255.0 broadcast 192.168.49.255
inet6 fe80::da5d:4cff:fe83:57c4 prefixlen 64 scopeid 0x20<link>
ether d8:5d:4c:83:57:c4 txqueuelen 1000 (Ethernet)
RX packets 779145 bytes 579801876 (579.8 MB)
RX errors 2 dropped 10 overruns 1 frame 0
TX packets 895236 bytes 586928401 (586.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enx0c5b8f279a64: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.8.100 netmask 255.255.255.0 broadcast 192.168.8.255
inet6 fe80::e5b:8fff:fe27:9a64 prefixlen 64 scopeid 0x20<link>
ether 0c:5b:8f:27:9a:64 txqueuelen 1000 (Ethernet)
RX packets 370821 bytes 331188878 (331.1 MB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 265850 bytes 85846348 (85.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 310437 bytes 44030576 (44.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 310437 bytes 44030576 (44.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun2001: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.48.6 netmask 255.255.255.255 destination 192.168.48.5
inet6 fe80::b213:d9ad:6506:808e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 6730 bytes 403476 (403.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8429 bytes 7328720 (7.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@lukowa:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.8.1 0.0.0.0 UG 100 0 0 enx0c5b8f279a64
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 enx0c5b8f279a64
192.168.8.1 0.0.0.0 255.255.255.255 UH 100 0 0 enx0c5b8f279a64
192.168.48.0 192.168.48.5 255.255.255.0 UG 0 0 0 tun2001
192.168.48.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun2001
192.168.49.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s6
192.168.49.0 192.168.49.1 255.255.255.0 UG 99 0 0 enp1s6
192.168.50.0 192.168.48.5 255.255.255.0 UG 0 0 0 tun2001
root@lukowa:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@lukowa:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.49.0/24 anywhere
root@lukowa:~# cat /proc/sys/net/ipv4/ip_forward
1
root@lukowa:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Code: Select all
iptables -t nat -A POSTROUTING -s 192.168.49.0/24 -o enx0c5b8f279a64 -j MASQUERADE
dev tun2001
script-security 3
proto udp
explicit-exit-notify 1
remote my.home.address secretportnumber
resolv-retry infinite
nobind
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/lukowaVPN.crt
key /etc/openvpn/client/lukowaVPN.key
auth-user-pass /etc/openvpn/client/login.conf
reneg-sec 0
cipher AES-128-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
comp-lzo