Page 1 of 1
Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 2:28 am
by Die_Quelle
Hey guys,
i stucked on creating an solution with openvpn like this:
I want to connect my clients to the vpn-server (which works great) but the problem is:
that i can't access any vserver in the 192.168.1.1 subnet.
The config should contain a rule that any computer in the 192.168.1.1 subnet is reachable to the client.
My current openvpn config (server):
Code: Select all
port 1194
proto udp
dev tun
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
server 172.16.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
cipher AES-256-CBC
ca /ca.crt
cert vpnserver.crt
key vpnserver.key
additional the iptable rule for accessing the internet via vpn:
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j SNAT --to 144.76.x.x
Does anyone have a solution for this?
Thanks a lot
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 7:08 am
by maikcat
are your servers openVZ containers?
Michael.
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 11:21 am
by Die_Quelle
I am virtualizing with proxmox. atm they are fully Kernel-based Virtual Machines.
Are there differences between openvz or kvm in using openvpn?
At least as you can see in my server config I am accessing the www via my server. (wish should both be possible)
thanks for reply
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 11:44 am
by maikcat
Are there differences between openvz or kvm in using openvpn?
yes , regarding networking components ..
some things to check:
1) did you enabled ip forwarding on openvpn server itself?
2) can you disable for testing any firewalling rules on openvpn itself?
3) can you ping openvpn servers lan ip from your client? (with NAT off)
Michael.
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 12:48 pm
by Die_Quelle
Hey Michael,
Ping from VPN-Server to Samba and back is possible. IP Forward is enabled, because it is / was needed to enable redirecting traffic to the internet. The server is completely fresh and no iptable rules were set, except the first mentioned to masquerading traffic to the internet.
i think there should be a rule in the vpn-server.conf which disable the forwarding to the internet, and re-route the traffic to the second ethernet controller (eth1) on the open-vpn -server to the local subnet (192.168.1.X) but i really have no idea how to do that :-/
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 1:31 pm
by maikcat
i think there should be a rule in the vpn-server.conf which disable the forwarding to the internet
if you want to disable redirecting all traffic to your vpn server simply replace
with
Code: Select all
push "route 192.168.1.0 255.255.255.0"
also if you do a tracert 192.168.1.102 from your openvpn
client what do you see?
remove for testing the NAT rule.
Michael.
Re: Create a Virtual Local Area Network with openvpn
Posted: Thu Jan 02, 2014 9:42 pm
by Die_Quelle
I tried to ping 192.168.1.102 (in both cases, with push-route.... or push-redirect ) from a client -> timeout
I think the openvpn server is routing the traffic to the wrong network interface. (eth0) were no 192.168.1.102 is reachable.
Die_Quelle
Re: Create a Virtual Local Area Network with openvpn
Posted: Fri Jan 03, 2014 10:33 am
by maikcat
can you post the output of tracert 192.168.1.102 (from your openvpn client)?
you can also install wireshark and see what exactly is happening...
btw the NICs assigned to your VMs are configured in bridged mode in proxmox?
Michael.
Re: Create a Virtual Local Area Network with openvpn
Posted: Fri Jan 03, 2014 1:04 pm
by Die_Quelle
tracert 192.168.1.102:
Code: Select all
Routenverfolgung zu 192.168.1.102 über maximal 30 Abschnitte
1 30 ms 29 ms 32 ms 172.16.0.1
2 * * * Zeitüberschreitung der Anforderung.
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.
5 * * * Zeitüberschreitung der Anforderung.
6 * * * Zeitüberschreitung der Anforderung.
7 * * * Zeitüberschreitung der Anforderung.
8 * * * Zeitüberschreitung der Anforderung.
9 * * * Zeitüberschreitung der Anforderung.
10 * * * Zeitüberschreitung der Anforderung.
11 * * * Zeitüberschreitung der Anforderung.
12 * * * Zeitüberschreitung der Anforderung.
13 * * * Zeitüberschreitung der Anforderung.
14 * * * Zeitüberschreitung der Anforderung.
15 * * * Zeitüberschreitung der Anforderung.
16 * * * Zeitüberschreitung der Anforderung.
17 * * * Zeitüberschreitung der Anforderung.
18 * * * Zeitüberschreitung der Anforderung.
19 * * * Zeitüberschreitung der Anforderung.
20 * * * Zeitüberschreitung der Anforderung.
21 * [b]^C[/b]
I added a vmbr1 on both virtual machines via proxmox.
From vpn to samba:
Code: Select all
user@vpn:~# ping 192.168.1.102
PING 192.168.1.102 (192.168.1.102) 56(84) bytes of data.
64 bytes from 192.168.1.102: icmp_req=1 ttl=64 time=0.357 ms
64 bytes from 192.168.1.102: icmp_req=2 ttl=64 time=0.385 ms
64 bytes from 192.168.1.102: icmp_req=3 ttl=64 time=0.416 ms
64 bytes from 192.168.1.102: icmp_req=4 ttl=64 time=0.390 ms
[b]^C[/b]
--- 192.168.1.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.357/0.387/0.416/0.020 ms
user@vpn:~# traceroute 192.168.1.102
traceroute to 192.168.1.102 (192.168.1.102), 30 hops max, 60 byte packets
1 192.168.1.102 (192.168.1.102) 0.353 ms 0.410 ms 0.296 ms