But do feel free to add any clues regarding the questions below, it would certainly help me, and no doubt others, considering related questions on the forum seem to have been unanswered!
I am hoping to configure OpenVPN AS to allow external (WAN) ovpn clients to access through an OpenVPN client/gateway to a LAN.
The OpenVPN docs for doing this are not helping.
Setting aside that OpenVPN's doc search doesn't work, using google I find only two somewhat relevant docs:
How to configure a host as a gateway for client-side subnets
https://openvpn.net/vpn-server-resource ... e-subnets/
Close to what I want, though with obtuse additional aspects.
Site-to-site routing explained in detail
https://docs.openvpn.net/connecting/sit ... in-detail/
Not exactly the use-case in mind, but we might be able to learn something if these docs were less vague and cluttered with extraneous detail like how to operate a web page.
But let's examine the first doc, blow by blow.
This needs to distinguish the case where all traffic FROM the client-side subnet routes through the VPN, versus the case where the VPN only provides access TO the client side LAN for traffic from other VPN clients.Introduction
If you wish to have particular client-side subnets routed through the VPN, you must ensure that:
"Specified"... as, or for, what?Your Access Server is properly configured so that the User Permissions page has the desired client-side subnets specified for the corresponding users.
"The host" -- meaning the OS of the machine running the VPN client/gateway. And here we hope to learn what is or is not taken care of by AS's "VPN Gateway: Configure = Yes" setting.The host of each VPN client that is to act as a gateway must be configured to forward traffic to/from the VPN.
Very ambiguous sentence structure. Translation: "For a machine running VPN client and wishing to access subnets of other clients, adjust its OS's network routing configuration to account for those other-client subnets."Your network routing configuration (for any hosts on the VPN that may use the client-side subnets) is adjusted to account for the client-side subnets on the VPN.
And again, how does this relate to by AS's "VPN Gateway: Configure = Yes" setting?
Wait, what? There's a special "OpenVPN-AS" client software? Is this different from the normal OpenVPN client?Example Scenario
Let’s say that a particular user with username “fred" connects to the office VPN (the Access Server) from his home. His main PC at home has multiple network interfaces, with one connected to the Internet (say, via a DSL router) and another interface connected to a personal “test network". All hosts on the test network have an IP address in the 192.168.10.0/24 subnet. For instance, Fred’s main PC has the address 192.168.10.1 on the test network.
Fred connects to the VPN using the OpenVPN-AS client software running on his main PC.
And this example is made the more obtuse because fred's PC has multiple network interfaces. Gaaaa. What if fred has only one LAN network?
So I guess this is going to cover two distinct use-cases:Now the goal is to make the test network accessible to other users via the VPN, including users on a back-end network in the office.
1. Other WAN clients running OpenVPN and connected to the office VPN OpenVPN AS.
2. Workplace LAN clients that are unaware of OpenVPN.
Why are we going on a detour to set up user fred when he can already login to the VPN server? Surely he already has a User account?User Permissions Configuration
The Access Server administrator must adjust the settings for username “fred" on the User Permissions page to enable this application. If there is no entry for “fred" on the User Permissions page, the administrator adds one by entering “fred" in the “New Username" box.
Good, we're making some progress -- let's see the example settings...The administrator clicks the “Show" link on fred’s entry in the User Permissions table, to see the drop-down box of settings specific to the user “fred". Next, the administrator makes the following changes:
And in this example, that IP address would be what? This is crucial.Sets a static VPN IP address:
Again -- the point of an example is to show the *&^%%$ example! I think:Specifies the client-side subnet to route through the user’s VPN client
"the client-side subnet" = 192.168.10.0/24
"the user" = fred
"VPN client" = the one running on fred's "main PC at home"
And what does this do. Does it permit other VPN clients (or clients on workplace LAN) to access "test network". Or does it force all traffic from "test network" to go to the VPN? Or both?
"the user" = fredTurns on Auto-Login for the user that will act as a gateway client
And having done this, does this mean that if fred goes to some remote location on the WAN, he can no longer usefully use OpenVPN to log in (for example to remotely access his home "test network"), but must instead use a different user name?
Which router? The one at fred's home? Or the one at the workplace?Changes to be made at the Router:
Because? And it the routing is static, do those static routes need to be specified somewhere?– Static routing will need to be enabled
Somehow fred has left the building, and "you" are now supposed to do something. Tentative translation:– You will need to add the VPN’s subnet as a static route to the machine you are running the gateway client on
On fred's machine, the OS settings for static routes have to be altered so that the VPN's subnet (which is what in this example?) is set to static, and presumably set to some specific route (which is in this example?)
And again, how does this relate, or not, to AS's "VPN Gateway: Configure = Yes" setting?
How will we know that this specific thing is needed? What versions of linux does this apply to? What does it do?
*NOTE: If trying to run a linux client in gateway mode you may need to run this command to enable routing:
sysctl -w net.ipv4.ip_forward=1