Openvpn, 2-way tunnel (=reverse connection -from openvpn-ser
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Openvpn, 2-way tunnel (=reverse connection -from openvpn-ser
Hi,
My tunnel seems to work correctly. I'm connecting from 10.101.160.x to 192.168.1.x where I get an 192.168.33.x vpn-range.
However, now I would like to connect from the network I connect to (192.168.1.x, to the network I'm connecting from.
Network I'm connecting from = 10.101.160.x but there are also other 10.x.x.x-networks so I would like all private 10-ranges to be forwareded through my vpn.
The OS on which my openvpn runs is a Synology (so Linux). I already tried to add a static route:
> route add -net 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
But a traceroute to a 10.100.4.x-address does not work. When this would work, I could add a static route to my router in the network, which point to the openvpn-server, and there would be a to-way-tunnel ...
Thanks for your help!
Routes on openvpn-server:
-------------------------
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.33.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.33.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
10.100.4.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
OPENVPN-SERVER:
----------------
#push "redirect-gateway def1"
#route 10.0.0.0 255.0.0.0 net_gateway
#route 172.16.0.0 255.240.0.0 net_gateway
#route 192.168.0.0 255.255.0.0 net_gateway
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.33.0 255.255.255.0"
dev tun
management 192.168.1.6 1195
server 192.168.33.0 255.255.255.0
dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~
~
~
~
~
- /usr/syno/etc/synovpn/openvpn/openvpn.conf 23/40 57%
My tunnel seems to work correctly. I'm connecting from 10.101.160.x to 192.168.1.x where I get an 192.168.33.x vpn-range.
However, now I would like to connect from the network I connect to (192.168.1.x, to the network I'm connecting from.
Network I'm connecting from = 10.101.160.x but there are also other 10.x.x.x-networks so I would like all private 10-ranges to be forwareded through my vpn.
The OS on which my openvpn runs is a Synology (so Linux). I already tried to add a static route:
> route add -net 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
But a traceroute to a 10.100.4.x-address does not work. When this would work, I could add a static route to my router in the network, which point to the openvpn-server, and there would be a to-way-tunnel ...
Thanks for your help!
Routes on openvpn-server:
-------------------------
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.33.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.33.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
10.100.4.0 192.168.33.2 255.255.255.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
OPENVPN-SERVER:
----------------
#push "redirect-gateway def1"
#route 10.0.0.0 255.0.0.0 net_gateway
#route 172.16.0.0 255.240.0.0 net_gateway
#route 192.168.0.0 255.255.0.0 net_gateway
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.33.0 255.255.255.0"
dev tun
management 192.168.1.6 1195
server 192.168.33.0 255.255.255.0
dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~
~
~
~
~
- /usr/syno/etc/synovpn/openvpn/openvpn.conf 23/40 57%
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
the openvpn server needs to know that the 10.100 network is "behind" the openvpn client. Read up on
http://openvpn.net/index.php/open-sourc ... html#scope
for details. You'll need to create a CCD file containing the right routing information.
http://openvpn.net/index.php/open-sourc ... html#scope
for details. You'll need to create a CCD file containing the right routing information.
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Thanks, however it looks as this is to setup connection from the client network to be able to reach the desination (openvpn)-server whereas I want the destination-network (where openvpn-server is) to be able to connect to client-network.
In other words: client vpn = 10.101.160.x, vpn-server = 192.168.1.x (vpn-address = 192.168.33.x)
=> I would like 192.168.1.x-addresses to 10.101.160.x-addresses.
Note: however, 10.101.160.x-addreses other than the client should not be able to connect over vpn(!)
Appreciate your feedback.
J.
In other words: client vpn = 10.101.160.x, vpn-server = 192.168.1.x (vpn-address = 192.168.33.x)
=> I would like 192.168.1.x-addresses to 10.101.160.x-addresses.
Note: however, 10.101.160.x-addreses other than the client should not be able to connect over vpn(!)
Appreciate your feedback.
J.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
read the HOWTO article again carefully: it does explain how to reach clients on a network behind an OpenVPN client.
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Ok, thanks. I had a closer look, but not all is clear to me. I commented in red, your comment would be highly appreciated!
Expanding the scope of the VPN to include additional machines on either the client or server subnet.
For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the serverdirective in the OpenVPN server configuration file.
Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
=> what is TUN/TAP? Do I need it here?
For this example, we will assume that the client LAN is using the 192.168.4.0/24 subnet, and that the VPN climachine on the client LAN can communicate with any machine on the server LAN through the VPN.ent is using a certificate with a common name of client2. Our goal is to set up the VPN so that any
Before setup, there are some basic prerequisites which must be followed:
The client LAN subnet (192.168.4.0/24 in our example) must not be exported to the VPN by the server or any other client sites which are using the same subnet. Every subnet which is joined to the VPN via routing must be unique.
The client must have a unique Common Name in its certificate ("client2" in our example), and the duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> I have a certificate which was made by Synology, don't want to spend time to make 1 by myself for now, can this be done? I don't know how to extract/find the name within the certificate/chek or uncheck the duplicate cn-flag ...First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> What is it, how/where this is done?
Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:
client-config-dir ccd
=> is this a line within the server config or a command line on the openvpn-server?In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. On Linux this tends to be/etc/openvpn and on Windows it is usually \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.
The next step is to create a file called client2 in the ccddirectory. This file should contain the line:
iroute 192.168.4.0 255.255.255.0
This will tell the OpenVPN server that the 192.168.4.0/24subnet should be routed to client2.
=> Can I add more routes to this file? For example
iroute 10.100.4.0
iroute ...Next, add the following line to the main server config file (not the ccd/client2 file):
route 192.168.4.0 255.255.255.0
[color=#FFF0000]=> For linux this would be on the NAS-server config?
route add -net 10.100.4.0 netmask 255.255.255.0 gw 'gateway of vpn' "?[/color]Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) whileiroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.
Expanding the scope of the VPN to include additional machines on either the client or server subnet.
For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the serverdirective in the OpenVPN server configuration file.
Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
=> what is TUN/TAP? Do I need it here?
For this example, we will assume that the client LAN is using the 192.168.4.0/24 subnet, and that the VPN climachine on the client LAN can communicate with any machine on the server LAN through the VPN.ent is using a certificate with a common name of client2. Our goal is to set up the VPN so that any
Before setup, there are some basic prerequisites which must be followed:
The client LAN subnet (192.168.4.0/24 in our example) must not be exported to the VPN by the server or any other client sites which are using the same subnet. Every subnet which is joined to the VPN via routing must be unique.
The client must have a unique Common Name in its certificate ("client2" in our example), and the duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> I have a certificate which was made by Synology, don't want to spend time to make 1 by myself for now, can this be done? I don't know how to extract/find the name within the certificate/chek or uncheck the duplicate cn-flag ...First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> What is it, how/where this is done?
Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:
client-config-dir ccd
=> is this a line within the server config or a command line on the openvpn-server?In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. On Linux this tends to be/etc/openvpn and on Windows it is usually \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.
The next step is to create a file called client2 in the ccddirectory. This file should contain the line:
iroute 192.168.4.0 255.255.255.0
This will tell the OpenVPN server that the 192.168.4.0/24subnet should be routed to client2.
=> Can I add more routes to this file? For example
iroute 10.100.4.0
iroute ...Next, add the following line to the main server config file (not the ccd/client2 file):
route 192.168.4.0 255.255.255.0
[color=#FFF0000]=> For linux this would be on the NAS-server config?
route add -net 10.100.4.0 netmask 255.255.255.0 gw 'gateway of vpn' "?[/color]Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) whileiroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Ok, I found the common name in the certificate. However it is with spaces, could that be an issue? I have to create a file name with spaces on Linux ...(?):
CN = Synology Inc CAL
CN = Synology Inc CAL
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
I have created the folder, but if I create the file, I get this:
DS> touch "Synology Inc CA"
DS> vi Synology\ Inc\ CA
Doesn't seem right, does it?
DS> touch "Synology Inc CA"
DS> vi Synology\ Inc\ CA
Doesn't seem right, does it?
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Update:
I tried to make the file with single quotes and the file seems to show up correctly:
DS> ls
Synology Inc. CA openvpn.conf server.conf
keys radiusplugin.cnf
---
The route-line is also there:
route 10.100.4.0 255.255.255.0
---
Now when I want to add a route to my Linux NAS machine, I get this:
DS> route add 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
route: netmask 0000ffff and host route conflict
Furthermore I guess I have also to enable some kind of routing on the client connecting, but that's not clear to me (TUN/TAP-forwarding)?
Thanks a bunch for your help!
I tried to make the file with single quotes and the file seems to show up correctly:
DS> ls
Synology Inc. CA openvpn.conf server.conf
keys radiusplugin.cnf
---
The route-line is also there:
route 10.100.4.0 255.255.255.0
---
Now when I want to add a route to my Linux NAS machine, I get this:
DS> route add 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
route: netmask 0000ffff and host route conflict
Furthermore I guess I have also to enable some kind of routing on the client connecting, but that's not clear to me (TUN/TAP-forwarding)?
Thanks a bunch for your help!
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
the VPN uses a tun or tap networking interface ; you need to make sure that traffic is forwarded between the tun (or tap) interface and the rest of the system; for this you needMake sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
=> what is TUN/TAP? Do I need it here?
- ip_forward to be enabled (do a 'cat /proc/sys/net/ipv4/ip_forward' to check)
- iptables rules if required to allow forwarding; alternatively , disable iptables for now
yes this can be done but you need to get the Synology root CA certificate (which should be publicly available somewhere).=> I have a certificate which was made by Synology, don't want to spend time to make 1 by myself for now, can this be done? I don't know how to extract/find the name within the certificate/chek or uncheck the duplicate cn-flag ...
normally this is a server config line ; make sure you use an absolute path for the directory, e.g.=> is this a line within the server config or a command line on the openvpn-server
Code: Select all
client-config-dir /usr/local/synovpn/etc/openvpn/ccd
you can add as many iroutes in the CCD file as the system can handle=> Can I add more routes to this file? For example
iroute 10.100.4.0
iroute ..
yep, that's OK, but the name of a CA cert file does not need to be the same as the CA name itself; you could use 'ca.crt' as well.DS> touch "Synology Inc CA"
DS> vi Synology\ Inc\ CA
Doesn't seem right, does it?
I'd try something likeDS> route add 10.100.4.0 netmask 255.255.255.0 gw 192.168.33.2
route: netmask 0000ffff and host route conflict
Code: Select all
route add -net 10.100.4.0/24 gw 192.168.33.2
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Thanks a million for this kind of support/quick feedback.
I've really been digging into it. Could you be so kind to comment where you see necessary?
Routing from LAN NAS-server to client-vpn:
--------------------------------------------
1.Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
*IP forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
-
Checked if this is activated:
DS> cat /proc/sys/net/ipv4/ip_forward
1
! NOTE: iptables is not active:
DS> iptables -L INPUT #
Chain INPUT (policy ACCEPT)
target prot opt source destination
Explanation mentions:
Also make sure that your network interface is in promiscuous mode.
=> What is the impact of doing this & how to do this, won't it work without activating this?
*TUN/TAP forwarding:
=> no idea where to start, no guidelines found how to activate this, is it necessary?
Note: the manual mentions:
'One of the benefits of using ethernet bridging is that you get this for free without needing any additional
configuration.'
=> Would that be a better option in my case?
2.Manual references to use the common name of the client in the certificate, I guess this is CN= ...?
Changed the name to ca.crt (see 6.)
3.Prerequisites to be met:
-The client must have a unique Common Name in its certificate ("client2" in our example): ok => ca.crt (not sure?)
-The duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> How to do this?
4.First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> how to do this, didn't find info back
5.Add line client-config-dir ccd (client-config-dir /usr/local/synovpn/etc/openvpn/ccd)
=> done
on linux machine:
mkdir ccd
You mention: "make sure this directory is world readable"
=> how can I check if it is?
6.create clientfile
=> see above, name is made with command between single brackets
The name of a CA cert file does not need to be the same as the CA name itself; you could use 'ca.crt' as well
=> ca.crt is in /usr/local/synovpn/etc/openvpn/ccd
DS> ls /usr/local/synovpn/etc/openvpn
ca.crt keys radiusplugin.cnf
ccd openvpn.conf server.conf
-
DS> cd /usr/local/synovpn/etc/openvpn/ccd
DS> ls
ca.crt
vi ca.crt
7.Added lines to ca.crt
iroute 10.100.4.0 255.255.255.0
iroute 10.101.161.0 255.255.255.0
=> done
Note: the ip of the pc-client is the following:
Ethernet adapter Local Area Connection:
IP Address. . . . . . . . . . . . : 10.101.161.129
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.101.161.254
=> Should I use 255.255.254.0 now?
8.Ad the following line to the main server config file (not the ccd/client2 file):
example: route 192.168.4.0 255.255.255.0
=> this does not work for the Linux-machine
=> however this works, but is it correct?:
route add -net 10.101.161.0 netmask 255.255.255.0 gw 192.168.33.2
note: see "Notes" below
9.Quote of you: "You need to get the Synology root CA certificate (which should be publicly available somewhere)"
=> Some confusion now: I need it now to create a certificat myself or can I just use the ca.crt (which is in the configuration) ?
AFTER ADAPTATIONS, should I REBOOT THE SYNOLOGY (LINUX)? I did now, but not sure if it is necessary allways/I can trigger
a refresh (I know I have to make route persistent and have to add it after reboot, still looking how to make it
persistent)
Notes:
------
troubleshooting:
traceroute to 10.101.161.129 (10.101.161.129), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
=> no input whatsoever where it goes wrong ...
Of this toppic:
----------------
I'm sometimes "stuck in Linux-console", do you know how to get out?
DS> cd \
> cd \
>
>
>
>
=> exit, bye, ctrl + c, nothing works, I just have to reconnect
I've really been digging into it. Could you be so kind to comment where you see necessary?
Routing from LAN NAS-server to client-vpn:
--------------------------------------------
1.Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
*IP forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
-
Checked if this is activated:
DS> cat /proc/sys/net/ipv4/ip_forward
1
! NOTE: iptables is not active:
DS> iptables -L INPUT #
Chain INPUT (policy ACCEPT)
target prot opt source destination
Explanation mentions:
Also make sure that your network interface is in promiscuous mode.
=> What is the impact of doing this & how to do this, won't it work without activating this?
*TUN/TAP forwarding:
=> no idea where to start, no guidelines found how to activate this, is it necessary?
Note: the manual mentions:
'One of the benefits of using ethernet bridging is that you get this for free without needing any additional
configuration.'
=> Would that be a better option in my case?
2.Manual references to use the common name of the client in the certificate, I guess this is CN= ...?
Changed the name to ca.crt (see 6.)
3.Prerequisites to be met:
-The client must have a unique Common Name in its certificate ("client2" in our example): ok => ca.crt (not sure?)
-The duplicate-cnflag must not be used in the OpenVPN server configuration file.
=> How to do this?
4.First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
=> how to do this, didn't find info back
5.Add line client-config-dir ccd (client-config-dir /usr/local/synovpn/etc/openvpn/ccd)
=> done
on linux machine:
mkdir ccd
You mention: "make sure this directory is world readable"
=> how can I check if it is?
6.create clientfile
=> see above, name is made with command between single brackets
The name of a CA cert file does not need to be the same as the CA name itself; you could use 'ca.crt' as well
=> ca.crt is in /usr/local/synovpn/etc/openvpn/ccd
DS> ls /usr/local/synovpn/etc/openvpn
ca.crt keys radiusplugin.cnf
ccd openvpn.conf server.conf
-
DS> cd /usr/local/synovpn/etc/openvpn/ccd
DS> ls
ca.crt
vi ca.crt
7.Added lines to ca.crt
iroute 10.100.4.0 255.255.255.0
iroute 10.101.161.0 255.255.255.0
=> done
Note: the ip of the pc-client is the following:
Ethernet adapter Local Area Connection:
IP Address. . . . . . . . . . . . : 10.101.161.129
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.101.161.254
=> Should I use 255.255.254.0 now?
8.Ad the following line to the main server config file (not the ccd/client2 file):
example: route 192.168.4.0 255.255.255.0
=> this does not work for the Linux-machine
=> however this works, but is it correct?:
route add -net 10.101.161.0 netmask 255.255.255.0 gw 192.168.33.2
note: see "Notes" below
9.Quote of you: "You need to get the Synology root CA certificate (which should be publicly available somewhere)"
=> Some confusion now: I need it now to create a certificat myself or can I just use the ca.crt (which is in the configuration) ?
AFTER ADAPTATIONS, should I REBOOT THE SYNOLOGY (LINUX)? I did now, but not sure if it is necessary allways/I can trigger
a refresh (I know I have to make route persistent and have to add it after reboot, still looking how to make it
persistent)
Notes:
------
troubleshooting:
traceroute to 10.101.161.129 (10.101.161.129), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
=> no input whatsoever where it goes wrong ...
Of this toppic:
----------------
I'm sometimes "stuck in Linux-console", do you know how to get out?
DS> cd \
> cd \
>
>
>
>
=> exit, bye, ctrl + c, nothing works, I just have to reconnect
-
- OpenVPN Power User
- Posts: 56
- Joined: Wed Sep 21, 2011 3:10 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
Hi Jan,
I see you're online.
Would you mind getting me on track again? Some tips to help me troubleshooting would be great.
Cheers,
J.
I see you're online.
Would you mind getting me on track again? Some tips to help me troubleshooting would be great.
Cheers,
J.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn
whoops, this post slipped by me... I wasn't online at that time, BTW.
please add
to the server log file and restart client and server; there should be a line in the server log when the client CCD file is processed; another quick & dirty debugging trick is to add
to the server config - if there's anything wrong with the CCD file setup then the client won't be able to connect.
do you have only a single Synology cert? to use CCD files each client much have a unique certificate file.
please add
Code: Select all
verb 5
Code: Select all
ccd-exclusive
do you have only a single Synology cert? to use CCD files each client much have a unique certificate file.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Feb 10, 2020 3:50 pm
Re: Openvpn, 2-way tunnel (=reverse connection -from openvpn-ser
janhoedt-
Did you ever get this working? I'm facing a similar issue. I have an external VPS server. My client can establish the tunnel fine and get out to the internet through it. I'm having trouble getting the VPN server to connect to clients on the VPN client's internal network. I have IP forwarding in place on both ends and have followed the instructions in this doc, to no avail.
https://openvpn.net/community-resources/how-to/#scope
Thanks in advance.
Did you ever get this working? I'm facing a similar issue. I have an external VPS server. My client can establish the tunnel fine and get out to the internet through it. I'm having trouble getting the VPN server to connect to clients on the VPN client's internal network. I have IP forwarding in place on both ends and have followed the instructions in this doc, to no avail.
https://openvpn.net/community-resources/how-to/#scope
Thanks in advance.