I'm having some trouble making clients visible to each other.
I have 2 Ubuntu servers to be connected on the VPN that are also connected to the same router (subnet 192.168.1.0/24).
The server at 192.168.1.2 runs as the OpenVPN server, while the other one (192.168.1.3) is connected to VPN as a client.
The folllowing are my configuration files:
Code: Select all
# main-server.conf
mode server
tls-server
port 1194
proto udp
dev tun0
ifconfig 10.8.0.1 255.255.255.0
push "route-gateway 10.8.0.1"
push "redirect-gateway def1 autolocal bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
topology subnet
push "topology subnet"
max-clients 10
client-to-client
ifconfig-pool 10.8.0.3 10.8.0.253 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
data-ciphers AES-256-CBC
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
keepalive 10 120
explicit-exit-notify 1
Code: Select all
# ccd/other-server
ifconfig-push 10.8.0.2 255.255.255.0
Code: Select all
# other-server.conf
client
remote 192.168.1.2 1194
proto udp
dev tun
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/raspi.crt
key /etc/openvpn/client/raspi.key
tls-auth /etc/openvpn/client/ta.key 1
auth-nocache
cipher AES-256-CBC
data-ciphers AES-256-CBC
The problem is that if I connect another device (e.g. my Linux laptop) it gets 10.8.0.3, it sees the server at 10.8.0.1 but it can't connect to 10.8.0.2.
What I want is 10.8.0.0/24 subnet acting as a real LAN where all connected devices are visible to others.
I don't know if my firewall could be the problem.
I am using firewalld, both servers has tun0 interface assigned to internal zone configured as follows:
Code: Select all
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources: 192.168.1.0/24
services: dhcp dns mdns ssh
ports:
protocols:
forward: yes
masquerade: [yes|no] <-- # yes on main-server, no on other-server; i don't know if this is relevant
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Code: Select all
allow-internal-out (active)
priority: -1
target: ACCEPT
ingress-zones: internal
egress-zones: ANY
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Thank you for helping.
Andrea