All Clients Showing the Same IP Address

[ynagy]

I just wondering if someone can help and I apologies if I posted on the wrong place.

I have OpenVPN working great for the last number of months with no single issue. I have configured the OpenVPN server as a routed configuration connected to 3 branches for varies usage and IP phones. It seems everything working fine but the issue now on the PBX all connection showing from the same IP address which is the OpenVPN server.
The question, how can I show the branches IP addresses instead of the OpenVPN server?

[ynagy]

Shall I change the configuration from routed to bridging configuration?

[Traffic]

Please see the Forum rules (top of page)

[ynagy]

Sorry I forget to include server and client configuration with the initial post.

Server configuration:

Code: Select all

local 172.16.71.202
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/OpenVPN-Server.crt
key /etc/openvpn/easy-rsa/keys/OpenVPN-Server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 172.16.171.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.71.0 255.255.255.0"
push "route 172.16.171.0 255.255.255.0"
push "route 172.16.172.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/serverUDP1194-status.log 20
log-append  /var/log/openvpn/serverUDP1194.log
verb 1
push "explicit-exit-notify 3"

Client Configuration:

Code: Select all

client
dev tun
proto udp
remote openvpn.mydomain.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1

[Traffic]

Have you enabled iptables NAT on your server ?

[ynagy]

Yes, I have enabled the net.ipv4.ip_forward=1 on /etc/sysctl.conf

I also created a script with the following:

Code: Select all

#!/bin/sh
iptables -t nat -A POSTROUTING -s 172.16.171.0/24 -o eth0 -j SNAT --to-source 172.16.71.202
iptables -t nat -A POSTROUTING -s 172.16.172.0/24 -o eth0 -j SNAT --to-source 172.16.71.202

to run in /etc/network/interfaces

Code: Select all

auto eth0
allow-hotplug eth0
iface eth0 inet static
        pre-up /etc/firewall-openvpn-rules.sh
address 172.16.71.202
netmask 255.255.255.0
network 172.16.71.0
broadcast 172.16.71.255
gateway 172.16.71.1

Is this what do you you mean? or you mean something different? Am I missing anything?

[Traffic]

This is NAT (Read about it):

Code: Select all

#!/bin/sh
iptables -t nat -A POSTROUTING -s 172.16.171.0/24 -o eth0 -j SNAT --to-source 172.16.71.202
iptables -t nat -A POSTROUTING -s 172.16.172.0/24 -o eth0 -j SNAT --to-source 172.16.71.202

It is also the reason all your clients appear to be the server.

You must configure a fully routed network .. This is the openvpn HOWTO:
HOWTO: Expanding the scope of the VPN to include additional machines

[ynagy]

Thank you so much for the quick reply but I am not that technical person ... I am covering additional role added to me since they fired the network guy.

Would you mind to explain a bit more in what I should do ...

[Traffic]

If you give me remote access I can do it for you .. for a fee.

[ynagy]

How much would you charge? and how long do you need?

[Traffic]

See my profile

[ynagy]

I have applied the changes as per your recommendation with no luck ... All clients still showing the server "OpenVPN" IP address. Would could be other suggestion(s)?

[DemonRok]

If you give me remote access I can do it for you .. for a fee.

Can you share the solution, i'have the same problem.

Thanks!

[TinCanTech]

Can you share the solution

See posting.php?mode=reply&f=4&t=21452#pr60564