I have been trying to add client-specific rules and access policies as per the 2x HowTo to my existing OpenVPN setup, but am having great difficulty getting it to work.
In short, I have several VLANs on my home network, three of which are 192.168.10.0/24, 192.168.20.0/24, and 192.168.30.0/24. Each VLAN has a different class of user with different rights, and I am attempting to use CCD files to force clients onto a matching 10.8.xx.0/24 tunnel subnets so that I can apply appropriate firewall rules. My OpenVPN server is a Ubiquiti Edgerouter 4 which runs VyOS, and the relevant section of my router config file is:
openvpn vtun0 {
mode server
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--persist-key"
openvpn-option "--persist-tun"
openvpn-option "--tls-server"
openvpn-option "--remote-cert-tls client"
openvpn-option "--tls-crypt /config/auth/tls-crypt.key"
openvpn-option "--client-config-dir /etc/openvpn/ccd"
openvpn-option "--ccd-exclusive"
openvpn-option "--route 192.168.10.0/24"
openvpn-option "--route 192.168.20.0/24"
openvpn-option "--route 192.168.30.0/24"
server {
subnet 10.8.0.0/24
push-route 192.168.10.0/24
push-route 192.168.20.0/24
push-route 192.168.30.0/24
name-server 192.168.10.1
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/rt1.crt
dh-file /config/auth/dh.pem
key-file /config/auth/rt1.key
}
description VPN
}
The OpenVPN client I am using for testing is a laptop running Debian:
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/mech1129.crt
key /etc/openvpn/mech1129.key
remote-cert-tls server
tls-crypt /etc/openvpn/tls-crypt.key
verb 3
mute 20
The CCD file for this client contains the following:
Code: Select all
ifconfig-push 10.8.20.5 255.255.255.0
Code: Select all
Fri Jan 28 21:23:54 2022 TUN/TAP device tun0 opened
Fri Jan 28 21:23:54 2022 TUN/TAP TX queue length set to 100
Fri Jan 28 21:23:54 2022 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 28 21:23:54 2022 /sbin/ip addr add dev tun0 10.8.20.5/24 broadcast 10.8.20.255
Fri Jan 28 21:23:54 2022 /sbin/ip route add 192.168.10.0/24 via 10.8.0.1
Error: Nexthop has invalid gateway.
Fri Jan 28 21:23:54 2022 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Jan 28 21:23:54 2022 /sbin/ip route add 192.168.20.0/24 via 10.8.0.1
Error: Nexthop has invalid gateway.
Fri Jan 28 21:23:54 2022 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Jan 28 21:23:54 2022 /sbin/ip route add 192.168.30.0/24 via 10.8.0.1
Error: Nexthop has invalid gateway.
Fri Jan 28 21:23:54 2022 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Jan 28 21:23:54 2022 GID set to nogroup
Fri Jan 28 21:23:54 2022 UID set to nobody
Fri Jan 28 21:23:54 2022 Initialization Sequence Completed
Code: Select all
$ ip addr
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.20.5/24 brd 10.8.20.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::b3eb:9104:f2e4:a615/64 scope link stable-privacy
valid_lft forever preferred_lft forever
$ ip route
default via 192.168.175.153 dev enp0s29u1u1 proto dhcp metric 100
10.8.20.0/24 dev tun0 proto kernel scope link src 10.8.20.5
169.254.0.0/16 dev enp0s29u1u1 scope link metric 1000
192.168.175.0/24 dev enp0s29u1u1 proto kernel scope link src 192.168.175.56 metric 100