Separate networks behind ovpn server

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
louarn
OpenVPN User
Posts: 21
Joined: Wed Oct 21, 2020 2:23 pm

Separate networks behind ovpn server

Post by louarn » Mon Jun 13, 2022 9:15 am

Hi there,

I have a community version openvpn server, which works fine.

I have different dev, admin etc users and would like to filter their connection based on the network behind the openvpn server. Thus user1 must only be able to access the network containing the development and test machines, while user2 must be able to join the production network (which is 192.168.0.X/24 actually)

Code: Select all

port 1194
proto udp
dev tun

# Misc
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
status /var/log/openvpn/status.log
verb 5

# Network
topology subnet
mode server
server 10.8.0.0 255.255.0.0
keepalive 10 120
### DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.22"
push "dhcp-option DNS 208.67.220.220"
#ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"


# chiffrage
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_vXRFfNZnTVORimrZ.crt
key server_vXRFfNZnTVORimrZ.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

### Clients
client-config-dir /etc/openvpn/ccd
ccd-exclusive
 ###### Founders
route 10.8.10.0 255.255.255.0
 ###### Admin
route 10.8.20.0 255.255.255.0
 #####  Dev
route 10.8.30.0 255.255.255.0
 #####  Comm
route 10.8.40.0 255.255.255.0

### Private network
client-to-client
#push "route 192.168.0.0 255.255.255.0"  => if uncommented, user1 and user2 can reach all networks
#push "route 192.168.10.0 255.255.255.0"
#push "route 192.168.20.0 255.255.255.0"
#push "route 192.168.30.0 255.255.255.0"
In ccd dir :
user1

Code: Select all

iroute 192.168.10.0 255.255.255.0
ifconfig-push 10.8.30.10 255.255.255.0
user2

Code: Select all

iroute 192.168.0.0 255.255.255.0
ifconfig-push 10.8.20.10 255.255.255.0
With this config, user1 and 2 have their IP but can't connect to inside :
Route: Waiting for TUN.TAP interface to come UP ...

And it works for this user3 :

Code: Select all

ifconfig-push 10.8.10.100 255.255.0.0
How can I force user1 and 2 to join their network while allowing for example the admin to go everywhere?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Separate networks behind ovpn server

Post by TinCanTech » Mon Jun 13, 2022 2:04 pm

louarn wrote:
Mon Jun 13, 2022 9:15 am
How can I force user1 and 2 to join their network while allowing for example the admin to go everywhere?
There is a similar example documented here:
https://community.openvpn.net/openvpn/wiki/HOWTO

You need to learn howto configure your server firewall also.

I think you misunderstand your CCD user config files, --iroute is for remote LANs situated behind clients not the server.

louarn
OpenVPN User
Posts: 21
Joined: Wed Oct 21, 2020 2:23 pm

Re: Separate networks behind ovpn server

Post by louarn » Tue Jun 14, 2022 1:53 pm

Thank you for the link. I tested but it blocks at the level of the roads...

My network that already exists is in 192.168.0.0/24, and when one of my users connects from home for example, he arrives on the openvpn/firewall server with for dev1 : 10.8.30.1 255.255.0.0

Code: Select all

ccd/dev1:
ifconfig-push 10.8.30.1 255.255.0.0
Once the tunnel is up, it passes through the network at 192.168. and has access to everything. (dev1 can reach my backup server which is 192.168.0.57 (And I don't want), which is normal since in the server.conf file, I add the routes:

Code: Select all

### Private network
customer-to-customer
push "route 192.168.0.0 255.255.255.0"
If I remove this last line, he still has access to the network, the server giving him the routes ....

And I always access my servers with my OVPN/FW server's internal IP.

I continue my tests

louarn
OpenVPN User
Posts: 21
Joined: Wed Oct 21, 2020 2:23 pm

Re: Separate networks behind ovpn server

Post by louarn » Tue Jun 14, 2022 3:21 pm

Code: Select all

mode server
server 10.8.0.0 255.255.252.0
client-config-dir /etc/openvpn/ccd
ccd-exclusive
 ###### admins
route 10.8.10.0 255.255.255.0
 ###### dev
route 10.8.20.0 255.255.255.0
 
### Private network
client-to-client
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
With ccd/admin1:

Code: Select all

ifconfig-push 10.8.10.100 255.255.0.0
I can reach all my network.

With ccd/dev1:

Code: Select all

ifconfig-push 10.8.20.6 10.8.20.5
I can't reach the gateway ..

Code: Select all

Tue Jun 14 17:14:49 2022 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
Tue Jun 14 17:14:49 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Tue Jun 14 17:14:49 2022 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Tue Jun 14 17:14:49 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Jun 14 17:14:49 2022 Need hold release from management interface, waiting...
Tue Jun 14 17:14:49 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'state on'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'log all on'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'echo all on'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'bytecount 5'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'hold off'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'hold release'
Tue Jun 14 17:14:50 2022 MANAGEMENT: CMD 'password [...]'
Tue Jun 14 17:14:50 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jun 14 17:14:50 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jun 14 17:14:50 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jun 14 17:14:50 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jun 14 17:14:50 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Jun 14 17:14:50 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jun 14 17:14:50 2022 UDP link local: (not bound)
Tue Jun 14 17:14:50 2022 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Jun 14 17:14:50 2022 MANAGEMENT: >STATE:1655219690,WAIT,,,,,,
Tue Jun 14 17:14:50 2022 MANAGEMENT: >STATE:1655219690,AUTH,,,,,,
Tue Jun 14 17:14:50 2022 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=1de5dc6e 52763a7c
Tue Jun 14 17:14:50 2022 VERIFY OK: depth=1, CN=cn_IaT4jJpan9IrdjkY
Tue Jun 14 17:14:50 2022 VERIFY KU OK
Tue Jun 14 17:14:50 2022 Validating certificate extended key usage
Tue Jun 14 17:14:50 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jun 14 17:14:50 2022 VERIFY EKU OK
Tue Jun 14 17:14:50 2022 VERIFY X509NAME OK: CN=server_vXRFfNZnTVORimrZ
Tue Jun 14 17:14:50 2022 VERIFY OK: depth=0, CN=server_vXRFfNZnTVORimrZ
Tue Jun 14 17:14:50 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
Tue Jun 14 17:14:50 2022 [server_vXRFfNZnTVORimrZ] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Jun 14 17:14:51 2022 MANAGEMENT: >STATE:1655219691,GET_CONFIG,,,,,,
Tue Jun 14 17:14:51 2022 SENT CONTROL [server_vXRFfNZnTVORimrZ]: 'PUSH_REQUEST' (status=1)
Tue Jun 14 17:14:51 2022 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 208.67.222.22,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.20.6 10.8.20.5,peer-id 0,cipher AES-128-GCM'
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: route options modified
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: route-related options modified
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: peer-id set
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Jun 14 17:14:51 2022 OPTIONS IMPORT: data channel crypto options modified
Tue Jun 14 17:14:51 2022 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Jun 14 17:14:51 2022 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Jun 14 17:14:51 2022 interactive service msg_channel=704
Tue Jun 14 17:14:51 2022 open_tun
Tue Jun 14 17:14:51 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
Tue Jun 14 17:14:51 2022 TAP-Windows Driver Version 9.24 
Tue Jun 14 17:14:51 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.20.4/10.8.20.6/10.8.20.5 [SUCCEEDED]
Tue Jun 14 17:14:51 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.20.6/10.8.20.5 on interface {45D5987D-7700-492A-86F2-352238B907A3} [DHCP-serv: 10.8.20.4, lease-time: 31536000]
Tue Jun 14 17:14:51 2022 Successful ARP Flush on interface [6] {45D5987D-7700-492A-86F2-352238B907A3}
Tue Jun 14 17:14:51 2022 MANAGEMENT: >STATE:1655219691,ASSIGN_IP,,10.8.20.6,,,,
Tue Jun 14 17:14:51 2022 IPv4 MTU set to 1500 on interface 6 using service
Tue Jun 14 17:14:51 2022 Blocking outside dns using service succeeded.
Tue Jun 14 17:14:56 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:14:56 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:01 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:01 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:02 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:02 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:03 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:03 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:04 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:04 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:05 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:05 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:06 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:06 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:07 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:07 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:08 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:08 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:09 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:09 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:10 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:10 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:11 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:11 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:12 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:12 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:13 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:13 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:14 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:14 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:15 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:15 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:16 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:16 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:17 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:17 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:18 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:18 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:19 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:19 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:20 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:20 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:21 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:21 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:22 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:22 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:23 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:23 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:24 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:24 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:25 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:25 2022 Route: Waiting for TUN/TAP interface to come up...
Tue Jun 14 17:15:26 2022 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.1.1
Tue Jun 14 17:15:26 2022 Route addition via service succeeded
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 14 17:15:26 2022 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Tue Jun 14 17:15:26 2022 Route addition via service failed
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun 14 17:15:26 2022 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Tue Jun 14 17:15:26 2022 Route addition via service failed
Tue Jun 14 17:15:26 2022 MANAGEMENT: >STATE:1655219726,ADD_ROUTES,,,,,,
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.1
Tue Jun 14 17:15:26 2022 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Tue Jun 14 17:15:26 2022 Route addition via service failed
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.8.0.1
Tue Jun 14 17:15:26 2022 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Tue Jun 14 17:15:26 2022 Route addition via service failed
Tue Jun 14 17:15:26 2022 C:\Windows\system32\route.exe ADD 192.168.20.0 MASK 255.255.255.0 10.8.0.1
Tue Jun 14 17:15:26 2022 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Tue Jun 14 17:15:26 2022 Route addition via service failed
Tue Jun 14 17:15:26 2022 SYSTEM ROUTING TABLE
Tue Jun 14 17:15:26 2022 0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=35 t=4 pr=3 a=447739 h=0 m=35/0/0/0/0
Tue Jun 14 17:15:26 2022 XXX.XXX.XXX.XXX 255.255.255.255 192.168.1.1 p=0 i=35 t=4 pr=3 a=0 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=2853248 h=0 m=331/0/0/0/0
Tue Jun 14 17:15:26 2022 127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2853248 h=0 m=331/0/0/0/0
Tue Jun 14 17:15:26 2022 127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2853248 h=0 m=331/0/0/0/0
Tue Jun 14 17:15:26 2022 192.168.0.0 255.255.255.0 10.8.0.1 p=0 i=6 t=4 pr=3 a=2850672 h=0 m=4/0/0/0/0
Tue Jun 14 17:15:26 2022 192.168.0.0 255.255.255.0 192.168.0.118 p=0 i=6 t=4 pr=3 a=2849900 h=0 m=4/0/0/0/0
Tue Jun 14 17:15:26 2022 192.168.1.0 255.255.255.0 192.168.1.28 p=0 i=35 t=3 pr=2 a=110960 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 192.168.1.28 255.255.255.255 192.168.1.28 p=0 i=35 t=3 pr=2 a=110960 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 192.168.1.255 255.255.255.255 192.168.1.28 p=0 i=35 t=3 pr=2 a=110960 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=2853248 h=0 m=331/0/0/0/0
Tue Jun 14 17:15:26 2022 224.0.0.0 240.0.0.0 0.0.0.0 p=0 i=6 t=3 pr=2 a=2853247 h=0 m=259/0/0/0/0
Tue Jun 14 17:15:26 2022 224.0.0.0 240.0.0.0 192.168.1.28 p=0 i=35 t=3 pr=2 a=1894747 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2853248 h=0 m=331/0/0/0/0
Tue Jun 14 17:15:26 2022 255.255.255.255 255.255.255.255 0.0.0.0 p=0 i=6 t=3 pr=2 a=2853247 h=0 m=259/0/0/0/0
Tue Jun 14 17:15:26 2022 255.255.255.255 255.255.255.255 192.168.1.28 p=0 i=35 t=3 pr=2 a=1894747 h=0 m=291/0/0/0/0
Tue Jun 14 17:15:26 2022 SYSTEM ADAPTER LIST
Tue Jun 14 17:15:26 2022 Intel(R) Ethernet Connection (2) I219-V
Tue Jun 14 17:15:26 2022   Index = 13
Tue Jun 14 17:15:26 2022   GUID = {95CF4588-C891-49FF-BEEE-27C41B45DDB8}
Tue Jun 14 17:15:26 2022   IP = 0.0.0.0/0.0.0.0 
Tue Jun 14 17:15:26 2022   MAC = 18:66:da:2c:ad:91
Tue Jun 14 17:15:26 2022   GATEWAY = 192.168.1.1/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP SERV =  
Tue Jun 14 17:15:26 2022   DHCP LEASE OBTAINED = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DHCP LEASE EXPIRES  = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DNS SERV =  
Tue Jun 14 17:15:26 2022 Wintun Userspace Tunnel
Tue Jun 14 17:15:26 2022   Index = 15
Tue Jun 14 17:15:26 2022   GUID = {F0B53EB7-4259-48FE-8F44-835F5F5E94D9}
Tue Jun 14 17:15:26 2022   IP = 0.0.0.0/0.0.0.0 
Tue Jun 14 17:15:26 2022   MAC = 
Tue Jun 14 17:15:26 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Tue Jun 14 17:15:26 2022   DNS SERV =  
Tue Jun 14 17:15:26 2022 TAP-Windows Adapter V9
Tue Jun 14 17:15:26 2022   Index = 6
Tue Jun 14 17:15:26 2022   GUID = {45D5987D-7700-492A-86F2-352238B907A3}
Tue Jun 14 17:15:26 2022   IP = 169.254.190.33/255.255.0.0 
Tue Jun 14 17:15:26 2022   MAC = 00:ff:45:d5:98:7d
Tue Jun 14 17:15:26 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP SERV = 0.0.0.0/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP LEASE OBTAINED = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DHCP LEASE EXPIRES  = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DNS SERV =  
Tue Jun 14 17:15:26 2022 Realtek 8812BU Wireless LAN 802.11ac USB NIC
Tue Jun 14 17:15:26 2022   Index = 35
Tue Jun 14 17:15:26 2022   GUID = {F9DDE755-D00A-45AA-A267-D3E1E9C9B6DC}
Tue Jun 14 17:15:26 2022   IP = 192.168.1.28/255.255.255.0 
Tue Jun 14 17:15:26 2022   MAC = 1c:bf:ce:35:70:8e
Tue Jun 14 17:15:26 2022   GATEWAY = 192.168.1.1/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP SERV = 192.168.1.1/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP LEASE OBTAINED = 2022-06-14 16:47:36
Tue Jun 14 17:15:26 2022   DHCP LEASE EXPIRES  = 2022-06-15 16:47:36
Tue Jun 14 17:15:26 2022   DNS SERV = 192.168.1.1/255.255.255.255 
Tue Jun 14 17:15:26 2022 Microsoft Wi-Fi Direct Virtual Adapter
Tue Jun 14 17:15:26 2022   Index = 42
Tue Jun 14 17:15:26 2022   GUID = {D069DD98-F63E-4E11-8032-76733B171A70}
Tue Jun 14 17:15:26 2022   IP = 0.0.0.0/0.0.0.0 
Tue Jun 14 17:15:26 2022   MAC = 1e:bf:ce:35:70:8e
Tue Jun 14 17:15:26 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP SERV =  
Tue Jun 14 17:15:26 2022   DHCP LEASE OBTAINED = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DHCP LEASE EXPIRES  = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DNS SERV =  
Tue Jun 14 17:15:26 2022 Microsoft Wi-Fi Direct Virtual Adapter #2
Tue Jun 14 17:15:26 2022   Index = 48
Tue Jun 14 17:15:26 2022   GUID = {CE82DD44-FB60-4903-8124-7CFCA22C6742}
Tue Jun 14 17:15:26 2022   IP = 0.0.0.0/0.0.0.0 
Tue Jun 14 17:15:26 2022   MAC = 1c:bf:ce:35:70:8e
Tue Jun 14 17:15:26 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Tue Jun 14 17:15:26 2022   DHCP SERV =  
Tue Jun 14 17:15:26 2022   DHCP LEASE OBTAINED = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DHCP LEASE EXPIRES  = 2022-06-14 17:15:26
Tue Jun 14 17:15:26 2022   DNS SERV =  
Tue Jun 14 17:15:26 2022 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Tue Jun 14 17:15:26 2022 MANAGEMENT: >STATE:1655219726,CONNECTED,ERROR,10.8.20.6,XXX.XXX.XXX.XXX,1194,,

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Separate networks behind ovpn server

Post by TinCanTech » Tue Jun 14, 2022 5:49 pm

louarn wrote:
Tue Jun 14, 2022 3:21 pm
With ccd/dev1:

Code: Select all

ifconfig-push 10.8.20.6 10.8.20.5
You do not want to use a NET30 address if you use --topology subnet

louarn
OpenVPN User
Posts: 21
Joined: Wed Oct 21, 2020 2:23 pm

Re: Separate networks behind ovpn server

Post by louarn » Wed Jun 15, 2022 9:00 am

AAh Yes ! Thanks!

louarn
OpenVPN User
Posts: 21
Joined: Wed Oct 21, 2020 2:23 pm

Re: Separate networks behind ovpn server

Post by louarn » Sat Jun 18, 2022 8:07 am

Well.

I modified my server.conf as the following:

Code: Select all

### Clients
client-config-dir /etc/openvpn/ccd
ccd-exclusive
 ###### admins
route 10.8.10.0 255.255.255.0
 ###### dev
route 10.8.20.0 255.255.255.0

### Private network
client-to-client
#push "route 192.168.0.0 255.255.255.0"
#push "route 192.168.10.0 255.255.255.0"
#push "route 192.168.20.0 255.255.255.0"
I added on my openvpn/firewall server:

Code: Select all

iptables -t filter -A OUTPUT -p tcp -s 10.8.20.0/24 -d 192.168.0.0/24 -j DROP
and

Code: Select all

iptables -t filter -A OUTPUT -p tcp -s 10.8.20.2 -d 192.168.0.0/24 -j DROP
but my user dev:

Code: Select all

ccd/dev : 
route 192.168.20.0 255.255.255.0
ifconfig-push 10.8.20.2 255.255.255.0
still can join my server 192.168.0.57 ...

What is wrong ?

Post Reply