Client to client connection

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
andrea_5f3d6
OpenVpn Newbie
Posts: 3
Joined: Sat May 21, 2022 11:18 am

Client to client connection

Post by andrea_5f3d6 » Sat May 21, 2022 11:55 am

Hello everyone,

I'm having some trouble making clients visible to each other.
I have 2 Ubuntu servers to be connected on the VPN that are also connected to the same router (subnet 192.168.1.0/24).
The server at 192.168.1.2 runs as the OpenVPN server, while the other one (192.168.1.3) is connected to VPN as a client.

The folllowing are my configuration files:

Code: Select all

# main-server.conf

mode server
tls-server
port 1194
proto udp
dev tun0
ifconfig 10.8.0.1 255.255.255.0
push "route-gateway 10.8.0.1"
push "redirect-gateway def1 autolocal bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"

topology subnet
push "topology subnet"
max-clients 10
client-to-client
ifconfig-pool 10.8.0.3 10.8.0.253 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0

cipher AES-256-CBC
data-ciphers AES-256-CBC

persist-key
persist-tun

user nobody
group nogroup

status /var/log/openvpn/openvpn-status.log

keepalive 10 120
explicit-exit-notify 1

Code: Select all

# ccd/other-server
ifconfig-push 10.8.0.2 255.255.255.0

Code: Select all

# other-server.conf

client

remote 192.168.1.2 1194
proto udp
dev tun

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

mute-replay-warnings

remote-cert-tls server
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/raspi.crt
key /etc/openvpn/client/raspi.key
tls-auth /etc/openvpn/client/ta.key 1

auth-nocache

cipher AES-256-CBC
data-ciphers AES-256-CBC
I don't use server in main-server.conf because to give other-server a unique IP I manually modified ifconfig-pool. Without this change other-server would get 10.8.0.2 and any new client would get the same IP from the pool (its default was 10.8.0.2 --> 10.8.0.253).

The problem is that if I connect another device (e.g. my Linux laptop) it gets 10.8.0.3, it sees the server at 10.8.0.1 but it can't connect to 10.8.0.2.
What I want is 10.8.0.0/24 subnet acting as a real LAN where all connected devices are visible to others.

I don't know if my firewall could be the problem.
I am using firewalld, both servers has tun0 interface assigned to internal zone configured as follows:

Code: Select all

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources: 192.168.1.0/24
  services: dhcp dns mdns ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: [yes|no] <-- # yes on main-server, no on other-server; i don't know if this is relevant
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
In addition I created a new policy on main-server to allow clients' internet traffic redirected to the server:

Code: Select all

allow-internal-out (active)
  priority: -1
  target: ACCEPT
  ingress-zones: internal
  egress-zones: ANY
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
I hope I provided enough information, if not please ask.

Thank you for helping.

Andrea

antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

Re: Client to client connection

Post by antioch » Sun May 22, 2022 3:09 pm

with client-to-client specified, your firewall rules play no part as i understand it. instead, all communications remain inside openvpn and never hit the network stack.

what happens if you comment out the following in main-server.conf?

Code: Select all

push "redirect-gateway def1 autolocal bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"

andrea_5f3d6
OpenVpn Newbie
Posts: 3
Joined: Sat May 21, 2022 11:18 am

Re: Client to client connection

Post by andrea_5f3d6 » Tue May 24, 2022 1:12 pm

@antioch thanks for the reply.

Commenting

Code: Select all

push "dhcp-option DNS 10.8.0.1"
client just stops using main-server DNS.

Commenting

Code: Select all

push "redirect-gateway def1 autolocal bypass-dhcp"
openvpn stops setting main-server as default route for all client's connection.

Still I can't ping the other server at 10.8.0.2 with nmap.

This is ip route output

Code: Select all

default dev tun0 proto static scope link metric 50 
default via 10.102.0.1 dev wlo1 proto dhcp src 10.102.54.233 metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.3 metric 50 
10.102.0.0/16 dev wlo1 proto kernel scope link src 10.102.54.233 metric 600 
10.102.0.1 dev wlo1 proto static scope link metric 50 
and this is traceroute 10.8.0.2

Code: Select all

traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  35.248 ms  35.268 ms  35.292 ms
 2  * * *
[...]
with the suggested modifications.

traceroute gives the same result with those options active while ip route has the following output

Code: Select all

default via 10.8.0.1 dev tun0 proto static metric 50 
default via 10.102.0.1 dev wlo1 proto dhcp src 10.102.54.233 metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.3 metric 50 
10.102.0.0/16 dev wlo1 proto kernel scope link src 10.102.54.233 metric 600 
10.102.0.1 dev wlo1 proto static scope link metric 50

andrea_5f3d6
OpenVpn Newbie
Posts: 3
Joined: Sat May 21, 2022 11:18 am

Re: Client to client connection

Post by andrea_5f3d6 » Tue May 24, 2022 2:06 pm

I solved the issue, it was the firewall: I didn't realize that a modification I made broke openvpn connection of the other server; in fact using remote 192.168.1.2 in other-server.conf needs main server's firewall accept connections on port 1194 for its internal zone while I was accepting them only on main server's external zone.

nmap continues saying hosts are down (probably I should change scan type from -sn to another one) but traceroute reaches other clients and I can ssh into my other server correctly.

Thanks for the help.

Post Reply