Tunneling through OpenVPN Client->Server->Server

[ian999999]

Hi there,

I have 2 OpenVPN Servers setup, one in Japan and another in the UK.

What I would like is to be able to connect to the Japan Server and have the connection tunnel though to UK and come out there. As per the subject:

client->Server->Server

I'm having some problems so thought maybe somebody could shed some light on how to resolve this.

1. The links all work, I have the client connecting to Japan fine, the Japan Server connecting to the UK fine.
2. I have tested network traffic over links (masqueraded) and if I connect directly to Japan (when not connected to UK) internet works, and when I connect directly to UK it works, but when I connect the Japan to UK, the traffic does not seem to pass through.

If I use redirect gateway, the VPN connection to the JP Server drops.

Any ideas or sample configs / routes on how to achieve this? Note, the VPN connections work fine on their own, it's just link it all together I have issues with.

[janjust]

this is possible but you need to add a specific route to the first VPN server before redirecting the default GW to the second VPN server.

post your configs and perhaps we can tell how to fix it.

[ian999999]

Ok thanks Jan (I have your book by the way, very good!)

Relay Server Configuration File relaysrv.conf
Server in UK

Code: Select all

port 1191
proto udp
dev tun11
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/relay.crt
key /etc/openvpn/keys/relay.key
dh /etc/openvpn/keys/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.254.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 200
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status relay-status.log
log-append  realysrv.log
verb 3

Relay Server Client relay.conf
Server in Japan

Code: Select all

client
ns-cert-type server
local 999.999.240.100
dev tun11
proto udp
remote myrelayserver 1191
resolv-retry infinite
ping-restart 60
persist-key
ca /etc/openvpn/relay/ca.crt
cert /etc/openvpn/relay/client.crt
key /etc/openvpn/relay/client.key
comp-lzo
verb 3
log-append relay.log

Client server conf client.conf
Japan Server

Code: Select all

local 999.999.240.235
port 443
proto udp
dev tun3
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
dh /etc/openvpn/keys/dh2048.pem
server 10.8.4.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 60
comp-lzo
max-clients 50
user nobody
group nogroup
persist-key
persist-tun

On the UK Server, clients on TUN11 are masqueraded to eth0 ~ this works fine, can access net no problem when connecting from desktop client
On the JP Server, I had hoped to masquerade the clients on TUN3 to TUN11, but this did not work.
JP Server has 2 IP Addresses, 999.999.240.100 & 999.999.240.235 (obviously the 999 is a mask).

What I suspect is I need to push a route to the JP Server from the UK server, but this is where I get a little fuzzy.

[janjust]

try and break the problem down : does it work without the redirect gateway? can you add a direct route to the second VPN server via the first (i.e. do a push route on the first server

Code: Select all

push "route A.B.C.D 255.255.255.255"

)

First make sure the second VPN tunnel works via the first, then try to redirect the default GW again.

[ian999999]

Hrmmm... there already is a push route on the first server

push "route 172.16.254.0 255.255.255.0"

Not sure I completely get you here.

[janjust]

after connecting to the first server, how does your client connect to the second server?
make sure there is a direct (/32) route to the second VPN server.

[ian999999]

This is the bit I have to admit I am a bit fuzzy on.

I had thought the client would be able to masquerade through the TUN connection, much the same way a client normally masquerades through an ethernet.

i.e. instead of masquerading to eth0, I was masquerading to TUN11 but this did not work. Perhaps I am going about it the wrong way, but I thought this would be the way to do it?

[ian999999]

Just working through this again today.

I can confirm that when you connect to the UK6 relay through the desktop, the route command works (without setting the default gateway) and there is no problem browsing the net.

Of course, likewise, connecting to the Japan server without trying to masquerade the incoming VPN connection to the outgoing VPN TUN works as well.

It's when I masquerade incoming 10.8.0.0/16 to TUN 11 the problems occur.

What am I missing? Here is the routing table:

root@jp2:/etc/openvpn# route
Kernel IP routing table

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.0.1      172.16.0.9      255.255.255.255 UGH   0      0        0 tun11
10.8.4.2        *               255.255.255.255 UH    0      0        0 tun3
10.8.6.2        *               255.255.255.255 UH    0      0        0 tun5
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
172.16.0.9      *               255.255.255.255 UH    0      0        0 tun11
10.8.3.2        *               255.255.255.255 UH    0      0        0 tun2
10.8.6.0        10.8.6.2        255.255.255.0   UG    0      0        0 tun5
10.8.4.0        10.8.4.2        255.255.255.0   UG    0      0        0 tun3
10.8.3.0        10.8.3.2        255.255.255.0   UG    0      0        0 tun2
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
172.16.254.0    172.16.0.9      255.255.255.0   UG    0      0        0 tun11
999.999.240.0     *               255.255.255.0   U     0      0        0 eth0
999.999.240.0     *               255.255.255.0   U     0      0        0 eth1
default         50.31.240.1.sta 0.0.0.0         UG    100    0        0 eth0

Note the other TUNs are just clones of the server running on different ports. TUN11 is the relay client connected to UK.

[Mimiko]

On server in Japan you have to forward traffic from the tunnel with the client to the tunnel with server in UK, as I understood. For this you have to do 2 things:
1) Masquerade traffic thru tunnel of server-server:

iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

2) Redirect gateway for client tunnel:

Code: Select all

iptables -t nat -A PREROUTING -i tun3 -j DNAT --to 172.31.0.23

Not sure for second command, but this is the idea.

[ian999999]

Hrmm thanks for the suggestion, but this did not work. :-/

Still looking for ideas here.

[ian999999]

Solved it.

Had to add a specific source rating command

ip route add default via 172.16.0.5 dev tun11 table VPN
ip rule add from 10.8.0.0/16 table VPN

[garevans]

4 years later & your post has helped point me in the right direction.

Thanks for taking the time to come back and post the actual fix.

[stevejoe]

Solved it.

Had to add a specific source rating command

ip route add default via 172.16.0.5 dev tun11 table VPN
ip rule add from 10.8.0.0/16 table VPN

can you share your complete solution here bro?

[marcovillar2]

Hi,

I am facing the same problem can someone share the full solution please?
I am trying to do Client -> relayserver -> server
Thanks
Marco.