I need to create this configuration and I need to use OpenVPN technology to reach this goal.
There is a main office. This office has got LAN 192.168.99.0/24 with LAN Gateway 192.168.99.254.
In the main office the OpenVPN server has got IP 192.168.99.253
Soon there will be a branch office that will use LTE connection and I can not do site-to-site/IPSEC connection due to LTE carriers use NAT.
Branch Office LAN will be 192.168.43.0/24 with Gateway 192.168.43.254
OpenVPN network is 10.8.0.0/24 (Default OpenVPN network is fine for me).
I would that just a dedicate machine in branch office will run OpenVPN Client to establish VPN connection to main office,
and from Branch Office they can use local servers and printers installed inside main office.
After that I would that from the Main Office I can reach machines (computer and printers) inside the Branch Office and not just only the OpenVPN client host.
In this moment this is the situation:
- OpenVPN server is running
- OpenVPN client can connect properly to my OpenVPN server using certificate
- OpenVPN client can access to all my OpenVPN main office LAN 192.168.99.0/24 (It is fine at the moment)
- OpenVPN client and OpenVPN server can ping each other using OpenVPN IP addresses (10.8.0.X)
- OpenVPN client and OpenVPN server can ping each other using real LAN ip address (192.168.99.X and 192.168.43.X).
This mean that I can ping eth0 IP address of OpenVPN Client from OpenVPN server.
I enabled IPV4 forwarding on branch office Linux machine and main office Linux machine.
Here my configurations:
OpenVPN SERVER
Code: Select all
port 6666
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.99.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_A47ndxEEXecAXoCR.crt
key server_A47ndxEEXecAXoCR.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
push "route 192.168.99.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
route 192.168.43.0 255.255.255.0
client-to-client
Code: Select all
client
proto udp
explicit-exit-notify
remote mydomain.com 6666
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_A47ndxEEXecAXoCR name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
Code: Select all
iroute 192.168.43.0 255.255.255.0
Is it possibile complete my request?
Can I reach all remote devices in branch office (remote LAN 192.168.43.0/24)?
For example if in Branch Office LAN there will be a printer with IP 192.168.43.100 what should I add to my configuration?
I read this https://community.openvpn.net/openvpn/w ... BszQb6#no1 and I not have understood how to reach all devices in branch office from the main office openvpn server.
In this moment I can change configuration from TUN to TAP if it is necessary.
Thanks so much for your help!
Best regards
Federico