- reach vpn clients located behind firewalls i dont control
- reach devices on my home network, whose wan connection forwards no externally initiated traffic
- prevent authorized vpn clients belonging to one entity from reaching anothers'
environment:
- ubuntu 20.04 server
- virtualmin standard lamp stack, openvpn server 2.5.6
Code: Select all
openvpn-server.conf
port 1194
proto udp4
dev tun0
ca ca.crt
cert server.crt
key server.key
dh none
topology subnet
#server 172.16.0.0 255.255.0.0
mode server
tls-server
push "topology subnet"
ifconfig 172.16.0.254 255.255.0.0
#ifconfig-pool 172.16.0.1 172.16.0.253 255.255.0.0
push "route-gateway 172.16.0.254"
route 10.0.0.0 255.255.255.0 172.16.0.254
#push "route 10.0.0.0 255.255.255.0"
client-config-dir ccd
#client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
max-clients 64
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA256
Code: Select all
ccd/client1
ifconfig-push 172.16.1.1 255.255.0.0
iroute 10.0.0.0 255.255.255.0
Code: Select all
ccd/client2
ifconfig-push 172.16.1.2 255.255.0.0
push "route 10.0.0.0 255.255.255.0"
Code: Select all
ccd/client3
ifconfig-push 172.16.2.1 255.255.0.0
Code: Select all
openvpn-client.ovpn
client
dev tun
proto udp4
remote 192.168.1.100 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert clientX.crt
key clientX.key
remote-cert-tls server
tls-crypt ta.key
cipher AES-256-GCM
verb 3
auth SHA256
auth-nocache
Code: Select all
# sed -i s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/ /etc/sysctl.conf && sysctl -p
Code: Select all
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 10 -i tun0 -s 172.16.1.0/24 -j ACCEPT