Connecting two VPN Clients (a customer support use case)

[Mark_Nelson]

Hello,

I’d like to ask the community’s advice on how to setup OpenVPN for an unusual use-case.

We are a technology reseller supporting our clients remotely. During a support session, we want to remotely access their network from our laptops and access all of the endpoints on their subnet. Of course, both the laptops and the customer’s systems are on NATted networks behind their respective firewalls. Remote desktop tools are not an option.

The concept we’ve been working with is:
1. We host an OpenVPN server (SERVER) for each customer. (Server mode, TAP interface, client-to-client)
2. The customer computer (CUST) is an OpenVPN client and connects to SERVER (Client mode, TAP interface).
3. Our remote laptops (REMOTE) connect to SERVER (Client mode, TAP interface).

The goal is to put REMOTE laptops on the CUST subnet. The SERVER is a publically accessible, secure system that simply allows the CUST and REMOTE computers to connect to each other. Neither CUST nor REMOTE need access to SERVER’s network or any other SERVER resources.

My question for the forum is:
1. Is this an appropriate design for our requirements?
2. I’m having trouble figuring out what (if any) interfaces to bridge and how to configure OpenVPN (see below)

The current configuration (below) allows both CUST and REMOTE to connect to SERVER. REMOTE is not getting an IP address from CUST’s subnet. Even if I statically assign an IP address on REMOTE, I can’t get Ping traffic to flow. I’m not sure what I’m doing wrong and I wish I knew more about OpenVPN.

Thank you very much,
Mark


My current SERVER configuration is:
mode server
dev tap
no-replay
verb 3
keepalive 10 60
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
duplicate-cn # TODO: Remove before flight
client-to-client
max-clients 2

Both CUST and REMOTE configurations are:
remote 192.168.200.150
dev tap
no-replay
verb 3
tls-client
dh dh1024.pem
ca ca.crt
cert client.crt
key client.key