Create a Virtual Local Area Network with openvpn

[Die_Quelle]

Hey guys,

i stucked on creating an solution with openvpn like this:



I want to connect my clients to the vpn-server (which works great) but the problem is:
that i can't access any vserver in the 192.168.1.1 subnet.

The config should contain a rule that any computer in the 192.168.1.1 subnet is reachable to the client.

My current openvpn config (server):

Code: Select all

port 1194
proto udp
dev tun
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
server 172.16.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
cipher AES-256-CBC
ca /ca.crt
cert vpnserver.crt
key vpnserver.key

additional the iptable rule for accessing the internet via vpn:

Code: Select all

 iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j SNAT --to 144.76.x.x

Does anyone have a solution for this?
Thanks a lot

[maikcat]

are your servers openVZ containers?

Michael.

[Die_Quelle]

I am virtualizing with proxmox. atm they are fully Kernel-based Virtual Machines.
Are there differences between openvz or kvm in using openvpn?

At least as you can see in my server config I am accessing the www via my server. (wish should both be possible)

thanks for reply

[maikcat]

Are there differences between openvz or kvm in using openvpn?

yes , regarding networking components ..

some things to check:

1) did you enabled ip forwarding on openvpn server itself?

2) can you disable for testing any firewalling rules on openvpn itself?

3) can you ping openvpn servers lan ip from your client? (with NAT off)

Michael.

[Die_Quelle]

Hey Michael,

Ping from VPN-Server to Samba and back is possible. IP Forward is enabled, because it is / was needed to enable redirecting traffic to the internet. The server is completely fresh and no iptable rules were set, except the first mentioned to masquerading traffic to the internet.

i think there should be a rule in the vpn-server.conf which disable the forwarding to the internet, and re-route the traffic to the second ethernet controller (eth1) on the open-vpn -server to the local subnet (192.168.1.X) but i really have no idea how to do that :-/

[maikcat]

i think there should be a rule in the vpn-server.conf which disable the forwarding to the internet

if you want to disable redirecting all traffic to your vpn server simply replace

Code: Select all

push "redirect-gateway def1"

with

Code: Select all

push "route 192.168.1.0 255.255.255.0"

also if you do a tracert 192.168.1.102 from your openvpn client what do you see?

remove for testing the NAT rule.

Michael.

[Die_Quelle]

I tried to ping 192.168.1.102 (in both cases, with push-route.... or push-redirect ) from a client -> timeout
I think the openvpn server is routing the traffic to the wrong network interface. (eth0) were no 192.168.1.102 is reachable.

Die_Quelle

[maikcat]

can you post the output of tracert 192.168.1.102 (from your openvpn client)?

you can also install wireshark and see what exactly is happening...


btw the NICs assigned to your VMs are configured in bridged mode in proxmox?

Michael.

[Die_Quelle]

tracert 192.168.1.102:

Code: Select all

Routenverfolgung zu 192.168.1.102 über maximal 30 Abschnitte

  1    30 ms    29 ms    32 ms  172.16.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *     [b]^C[/b]

I added a vmbr1 on both virtual machines via proxmox.

From vpn to samba:

Code: Select all

user@vpn:~# ping 192.168.1.102
PING 192.168.1.102 (192.168.1.102) 56(84) bytes of data.
64 bytes from 192.168.1.102: icmp_req=1 ttl=64 time=0.357 ms
64 bytes from 192.168.1.102: icmp_req=2 ttl=64 time=0.385 ms
64 bytes from 192.168.1.102: icmp_req=3 ttl=64 time=0.416 ms
64 bytes from 192.168.1.102: icmp_req=4 ttl=64 time=0.390 ms
[b]^C[/b]
--- 192.168.1.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.357/0.387/0.416/0.020 ms
user@vpn:~# traceroute 192.168.1.102
traceroute to 192.168.1.102 (192.168.1.102), 30 hops max, 60 byte packets
 1  192.168.1.102 (192.168.1.102)  0.353 ms  0.410 ms  0.296 ms