I had same requirement and solved that with l3 tun type. The idea was quiet simple: use ccd and put
iroute 0.0.0.0 0.0.0.0 for the client I want to use as a gateway. I'm on
OpenVPN 2.6_rc1. So, we should have at least 3 nodes in the network:
- server - endpoint with a public IP (vps on debian in my case)
- client-gateway - a computer behind any firewalls / nat-s with internet access (I use raspberrypi at home, it's behind the provider's nat and my home router). This computer will be used as an exit node for all clients of the vpn.
- client device - any client to be routed via client-gateway. I have linux and android only, but suggest this will work for windows clients too.
Important options for server are:
Code: Select all
dev tun1
client-to-client
topology subnet
# We'll use this for our client-gateway special config
client-config-dir /etc/openvpn/ccd
# Or use this option manually for all clients except client-gateway
push "redirect-gateway autolocal"
Also dhcp and authentication must be configured. There is no specials here, just another network.
The most important part - client-specific configuration for client-gateway node. It contains 2 options only:
Code: Select all
# I bielive this one is optional, but haven't tested that
ifconfig-push 10.5.5.2 255.255.255.0
# This will route all the traffic onto our client-gateway node
iroute 0.0.0.0 0.0.0.0
I have
net.ipv4.conf.tun1.forwarding=0 on server, because all packets are routed internally by openvpn, I guess. They're probably not even passed to the kernel, so if u run
tcpdump -i tun1 on server - it will be silent, and it's ok.
For the client-gateway the only important option is
route-nopull since i'm pushing default route to each client. And since my client-gateway node is behind provider's nat and router I had to configure static route to vpn subnet via client-gateway on router box, to make it handle packets from tunnel properly. Or you can do masqerade onto client-gateway node. Anyway,
net.ipv4.conf.tun1.forwarding must be enabled here.
All other clients have no special options.
I'm not very experienced in networking, but i've done a few tests with ip-checks and tcpdump. And it seems the traffic is routed correctly: client -> server -> client-gateway -> internet.