I' quite new to configuring OpenVPN and struggling to set up a nested VPN connection between my work laptop when doing home office and a workstation in our laboratory in a subnet of our university network. The network topology looks as follows:
Code: Select all
+--------------------+ +--------------+
+---------| Home network | --+-- | Work Laptop |
/ | Router | | +--------------+
/ +--------------------+ |
| +--------------+
.-~~-. +-- | Private PC |
.- ~ ~-( )_ _ +--------------+
/ ~ -.
| Internet \
\ .'
~- . ____________ . -~
\
\ +--------------------+ +--------------+ +---------------------+
+---------| University network | --+-- | Lab network | --+-- | Lab Workstation |
| Router | | | Router | | +---------------------+
+--------------------+ | +--------------+ |
| | +---------------------+
| +-- | Other lab equipment |
| +---------------------+
| +--------------+
+-- | Office PC |
| +--------------+
|
|
+-- ...
Once this connection is established I can reach our lab router which is under my control and has port forwarding configured on ports 22 (SSH) and 1194. Since stuff in our lab change on a regular basis and tried to set up connection following this minimal tutorial. It basically suggests to use the same certificate on both machines and to start the server with:
Code: Select all
sudo openvpn --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC --secret static-OpenVPN.key
Code: Select all
sudo openvpn --remote YOUR-OPENVPN-SERVER-IP-OR-HOST --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC --secret static-OpenVPN.key
The described setup works nicely, when I'm connection from my work laptop to a server on my private PC in the same network, but it fails when I trying to reach the lab workstation. I also noticed that Anyconnect loses connection for a second, the moment I launch the OpenVPN client on my laptop. My guess is, that I somehow need to tell my client that it needs to establish the new connection through the existing tunnel instead of replacing it. However, from what I saw in the documentation, it feels that I would need to specify the --route settings on the outer tunnel, managed by Anyconnect...
Am I correct in that assumption, and is there any other way of making it work, without having to mingle with the "outer" VPN tunnel?
If it helps, here is also the output of ifconfig for both interfaces:
Code: Select all
cscotun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1350
inet 123.456.78.9 netmask 255.255.255.0 destination 123.456.78.9
inet6 xxxx::xxxx:xxxx:xxxx:xxxx prefixlen 64 scopeid 0x20<link>
inet6 xxxx:xxxx:xxxx:x::xxx prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 83566 bytes 32795906 (32.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80094 bytes 13179455 (13.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.2.2 netmask 255.255.255.255 destination 192.168.2.1
inet6 fe80::a380:14a3:f078:2a0b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0