Using a client as a gateway

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cptdondo
OpenVpn Newbie
Posts: 16
Joined: Sun Jul 10, 2016 10:40 pm

Using a client as a gateway

Post by cptdondo » Sun Jul 10, 2016 10:41 pm

I'm stumped by what should be a simple openvpn setup. I have my main Openwrt router acting as a Openvpn server, and a remote router as Openvpn client.

The client connects, and I can ssh into the client. I can ping back into my network. All of that works.

Now I want to use the openvpn client as a gateway to the subnet it's attached to. No joy. I can route packets into the openvpn tunnel; I can see it with tcpdump, and NOTHING comes out the other end.

Code: Select all

VPN Server (192.168.4.x) <---> Openvpn tunnel (192.168.2.x) <---> VPN Client subnet (10.0.1.x)
I've set up iproute 2 to forward all traffic from my laptop into the tunnel (192.168.4.99 is my laptop):

Code: Select all

root@AP1:~# ip route show table bluebell
default via 192.168.2.1 dev tun1 
192.168.4.0/24 via 192.168.4.1 dev eth1.4 
root@AP1:~# ip rule show
0:    from all lookup 128 
1:    from all lookup local 
16383:    from 192.168.4.99 lookup bluebell 
32766:    from all lookup main 
32767:    from all lookup default 
root@AP1:~# 
I have routing set up on the client to correctly route the packets back to the 192.168.4.0/24 network.

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0.2
10.0.1.0        *               255.255.255.0   U     0      0        0 eth0.2
10.0.1.1        *               255.255.255.255 UH    0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.1     192.168.2.5     255.255.255.255 UGH   0      0        0 tun0
192.168.2.5     *               255.255.255.255 UH    0      0        0 tun0
192.168.4.0     192.168.2.5     255.255.255.0   UG    0      0        0 tun0
I can ping the client end of the tunnel from my laptop, but I can't ping the 10.0.1.0/24 subnet. I can ping my laptop from the client.

I have my iptables rules set up to allow input, output, and forwarding on the tun interfaces on both server and client.

tcpdump shows packets bound for 10.0.1.x entering the tunnel on the server, but no packets leaving the tunnel.

What can I try to remedy this?

cptdondo
OpenVpn Newbie
Posts: 16
Joined: Sun Jul 10, 2016 10:40 pm

Re: Using a client as a gateway

Post by cptdondo » Mon Jul 11, 2016 2:38 pm

My server config:

Code: Select all

persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/keys/BlueBell.crt
comp-lzo yes
dev tun1
dh /etc/openvpn/dh1024.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/openvpn/keys/BlueBell.key
port 1195
proto udp
script-security 2
server 192.168.2.0 255.255.255.0
status /tmp/openvpn-status.log
verb 3
push route 192.168.4.0 255.255.255.0
up /usr/bin/set-promisc
My client config:

Code: Select all

client
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/keys/BlueBell.crt
comp-lzo yes
dev tun
key /etc/openvpn/keys/BlueBell.key
log /tmp/openvpn.log
proto udp
remote xxxx.hopto.org 1195
resolv-retry infinite
user nobody
verb 6

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 9019
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using a client as a gateway

Post by TinCanTech » Mon Jul 11, 2016 3:36 pm


cptdondo
OpenVpn Newbie
Posts: 16
Joined: Sun Jul 10, 2016 10:40 pm

Re: Using a client as a gateway

Post by cptdondo » Mon Jul 11, 2016 5:52 pm

Thanks. That's allowed me to reach the subnet, but I'm still struggling with routing all traffic through the client. Basically, right now I can touch anything in the subnet. I need to route all traffic through the client.

Code: Select all

Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: OpenVPN 2.3.6 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 27 2015
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Mon Jul 11 13:40:45 2016 daemon.warn openvpn(BlueBell_server)[23272]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: Diffie-Hellman initialized with 2032 bit key
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: TUN/TAP device tun1 opened
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: TUN/TAP TX queue length set to 100
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: /sbin/ifconfig tun1 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: /usr/bin/set-promisc tun1 1500 1542 192.168.2.1 192.168.2.2 init
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23180]: SIGTERM[hard,] received, process exiting
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 metric 3 gw 192.168.2.2
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: UDPv4 link local (bound): [undef]
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: UDPv4 link remote: [undef]
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: MULTI: multi_init called, r=256 v=256
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: IFCONFIG POOL: base=192.168.2.4 size=62, ipv6=0
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: IFCONFIG POOL LIST
Mon Jul 11 13:40:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: Initialization Sequence Completed
Mon Jul 11 13:42:41 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 TLS: Initial packet from [AF_INET]xx.81.17.116:35219, sid=8cf75316 afec99e5
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 VERIFY OK: depth=1, C=US, ST=OR, L=EUGENE, O=Lethe Mnemosyne, emailAddress=xx
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 VERIFY OK: depth=0, C=US, ST=OR, O=Lethe Mnemosyne, CN=BlueBell, emailAddress=xx
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: xx.81.17.116:35219 [BlueBell] Peer Connection Initiated with [AF_INET]xx.81.17.116:35219
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/BlueBell
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 MULTI: Learn: 192.168.2.9 -> BlueBell/xx.81.17.116:35219
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 MULTI: primary virtual IP for BlueBell/xx.81.17.116:35219: 192.168.2.9
Mon Jul 11 13:42:42 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 MULTI: internal route 0.0.0.0/0 -> BlueBell/xx.81.17.116:35219
Mon Jul 11 13:42:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 11 13:42:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 send_push_reply(): safe_cap=940
Mon Jul 11 13:42:45 2016 daemon.notice openvpn(BlueBell_server)[23272]: BlueBell/xx.81.17.116:35219 SENT CONTROL [BlueBell]: 'PUSH_REPLY,route 192.168.4.0 255.255.255.0,route 192.168.2.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.2.9 192.168.2.10' (status=1)
The client config file:

Code: Select all

root@AP1:/etc/openvpn/ccd# cat BlueBell
ifconfig-push 192.168.2.9 192.168.2.10
iroute 0.0.0.0 0.0.0.0 ##### this doesn't work, I can't ping subnet at all
# iroute 192.168.2.0 255.255.255.0 ##### this works, I can ping subnet, but not outside the subnet
and my server config file:

Code: Select all

root@AP1:/etc/openvpn/ccd# cat /tmp/etc/open*
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/keys/BlueBell.crt
client-config-dir /etc/openvpn/ccd
comp-lzo yes
dev tun1
dh /etc/openvpn/dh1024.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/openvpn/keys/BlueBell.key
port 1195
proto udp
route 0.0.0.0 0.0.0.0 192.168.2.2 3
script-security 2
server 192.168.2.0 255.255.255.0
status /tmp/openvpn-status.log
verb 3
push route 192.168.4.0 255.255.255.0
up /usr/bin/set-promisc

cptdondo
OpenVpn Newbie
Posts: 16
Joined: Sun Jul 10, 2016 10:40 pm

Re: Using a client as a gateway

Post by cptdondo » Tue Jul 12, 2016 10:53 am

Well I got it figured out. It's apparently impossible (or at least beyond my skills) to do it with a routed setup (tunX) but trivial with bridged (tapX). I'll post configs later. :)

cptdondo
OpenVpn Newbie
Posts: 16
Joined: Sun Jul 10, 2016 10:40 pm

Re: Using a client as a gateway

Post by cptdondo » Tue Jul 12, 2016 11:18 am

As promised, the mini-HWOTO for setting up an OpenVPN client as a default route for a machine. We want to route all traffic from ip 192.168.4.12 through the OpenVPN client.

On the server:

My base network is 192.268.4.0/24
Bridge the physical interface and the tapX device - in my case the bridged interface is br-auth
Adjust firewall rules to fit

then set up OpenVPN:

Code: Select all

ca /etc/openvpn/ca.crt
cert /etc/openvpn/keys/BlueBellTap.crt
comp-lzo yes
dev tap
dh /etc/openvpn/dh1024.pem
keepalive 10 60
key /etc/openvpn/keys/BlueBellTap.key
mssfix 1420
port 1196
proto udp
server-bridge 192.168.4.151 255.255.255.0 192.168.4.152 192.168.4.153
status /tmp/openvpn-tap.log
verb 3
Make sure the range in server-bridge is outside the DHCP range for your network. In my case, the client won't have any connections, so I don't need a DHCP range at all.

on the client:

Code: Select all

client
float
nobind
persist-key
ca /etc/openvpn/ca.crt
cert /etc/openvpn/keys/BlueBellTap.crt
comp-lzo yes
dev tap
key /etc/openvpn/keys/BlueBellTap.key
log /tmp/openvpntap.log
remote xxx.xxx.xxx 1196
reneg-sec 0
resolv-retry infinite
verb 6
Set up firewall, routing and masquerading on the client. On the client, the tap0 interface will have ip 192.168.4.152.

On the server, route all of the 192.168.4.12 traffic to the new gateway behind 192.168.4.152:

Code: Select all

root@AP1:/tmp/etc# ip rule show
0:      from all lookup 128
1:      from all lookup local
16383:  from 192.168.4.12 lookup bluebell
32766:  from all lookup main
32767:  from all lookup default
root@AP1:/tmp/etc#

Code: Select all

root@AP1:/tmp/etc# ip route show table bluebell
default via 192.168.4.152 dev br-auth
192.168.4.0/24 via 192.168.4.1 dev br-auth
root@AP1:/tmp/etc#

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 9019
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using a client as a gateway

Post by TinCanTech » Tue Jul 12, 2016 11:50 am

cptdondo wrote:server-bridge 192.168.4.151 255.255.255.0
For clarity, you should note:
The Manual wrote:--server-bridge gateway netmask
  • The gateway and netmask parameters to --server-bridge can be set to either the IP/netmask of the bridge interface, or the IP/netmask of the default gateway/router on the bridged subnet.
This is quite ambiguous and in my experience the IP/Mask should be that of the subnet default gateway.

Post Reply