OVPN server to server routing

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Arrow$$$
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 24, 2021 12:04 am

OVPN server to server routing

Post by Arrow$$$ » Thu Jun 24, 2021 12:13 am

Hi All,

I have two openvpn server running on the same server box. One on port 1194 and one on port 1195.

The subnets for each are 10.8.0.1 and 10.9.0.1 respectively

I have client to client enabled in both sever configs and they both use the same key infrastructure.

What is the easiest way to allow routing between all clients, both on the 10.9.0.0 range and 10.8.0.1 range?



SERVER1

port 1194
proto udp
dev tun
topology subnet
server 10.8.0.0 255.255.255.0

########## CONFIGURATION FILE LOCATIONS ############
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

client-to-client
client-config-dir /etc/openvpn/ccd
cipher AES-256-GCM

########## DEFINE ROUTES ############
route 172.10.1.0 255.255.255.0
route 10.100.2.0 255.255.255.0
route 10.100.3.0 255.255.255.0

########## PUSH ROUTES TO CLIENTS ##########
push "route 172.10.1.0 255.255.255.0"
push "route 10.100.2.0 255.255.255.0"
push "route 10.100.3.0 255.255.255.0"

keepalive 10 120

max-clients 7
persist-key
persist-tun
explicit-exit-notify 1

########## LOGGING ##########
status openvpn.log
log openvpn.log
log-append openvpn.log
verb 3


SERVER2

Code: Select all

port 1195
proto udp
dev tun
topology subnet
server 10.9.0.0 255.255.255.0

########## CONFIGURATION FILE LOCATIONS ############
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

client-to-client
client-config-dir /etc/openvpn/ccd2 
cipher AES-256-GCM


########## DEFINE ROUTES ############
route 172.10.1.0 255.255.255.0
route 10.100.2.0 255.255.255.0
route 10.100.3.0 255.255.255.0

########## PUSH ROUTES TO CLIENTS ########## 
push "route 172.10.1.0 255.255.255.0"
push "route 10.100.2.0 255.255.255.0"
push "route 10.100.3.0 255.255.255.0"


keepalive 10 120

max-clients 4
persist-key
persist-tun
explicit-exit-notify 1

########## LOGGING ########## 
status      openvpn2.log
log         openvpn2.log
log-append  openvpn2.log
verb 3
[/oconf]

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OVPN server to server routing

Post by TinCanTech » Thu Jun 24, 2021 1:38 am

Arrow$$$ wrote:
Thu Jun 24, 2021 12:13 am
hat is the easiest way to allow routing between all clients, both on the 10.9.0.0 range and 10.8.0.1 range?
8 bit subnet

Arrow$$$
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 24, 2021 12:04 am

Re: OVPN server to server routing

Post by Arrow$$$ » Thu Jun 24, 2021 3:51 am

Hi TinCan,

I tried to PM you but I have joined under a new name just recently.

I am hoping you can help me a bit further???

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: OVPN server to server routing

Post by openvpn_inc » Tue Jun 29, 2021 4:20 pm

Simply:

Code: Select all

push "route 10.8.0.0 255.255.255.0"
on the server2, and

Code: Select all

push "route 10.9.0.0 255.255.255.0"
on server1, or, just

Code: Select all

push "route 10.8.0.0 255.255.254.0"
(23-bit netmask) on both. Similarly you could replace your 10.100.2.0 & 10.100.3.0 routes with a single 23-bit netmask:

Code: Select all

push "route 10.100.2.0 255.255.254.0"
Note that --client-to-client means only that openvpn handles that routing internally, not passing packets back to the OS routing stack. If you need to limit that traffic in your firewall, you don't want --client-to-client.

Hope this helps, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply